hackers

NSA knew about and used Heartbleed web exploit

The tech web has been abuzz this week about what has been dubbed “Heartbleed,” a code exploit in the OpenSSL encryption system, which could have allowed hackers and cyberterrorists to access login credentials from some of the biggest websites in the world over the last two years. Lists were quickly constructed to explain to users which sites were affected and which passwords they needed to change immediately.

It turns out the NSA has known about the Heartbleed vulnerability for years, but never warned anyone that millions of Americans’ online identities could be at risk. Indeed, not only did they not sound the alarm, the  NSA used the bug to access those online accounts in its already questionable surveillance activities.

In Defense of @AnonymousIRC #Anti-Sec

The rogue Internet hacker group @Lulzsec has disbanded after a two-month battle against targets across the world. In the wake of their attacks are many questions. How can organizations protect themselves against such attacks? How long will other hacker groups continue their cyberwars? And, is what they’re doing actually…ethical?

Without question, hacking is illegal. Yet, despite the illegality of what hacker groups like Anonymous do, there does appear to be a “moral code” to their actions. For example, Anonymous recently took down several Orlando-area websites, including Orlando Mayor Buddy Dyer’s re-election site. Why would an international hacker collective target Orlando? They felt arresting members of Orlando Food Not Bombs, a charitable organization that feeds the homeless in city parks, was wrong. “Anonymous believes that people have the right to organize, that people have the right to give to the less fortunate and that people have the right to commit acts of kindness and compassion,” the group stated in a release.

Wait, a hacker group that stands for “kindness and compassion”? Are there really “hacktivists” out there? Apparently.

Black markets come to life after government regulations force the natural economy underground. Anonymous is fueled by a similar mechanism.  The traditional (and, legal) methods of counter-balancing government abuse have ultimately failed. Freedom of Information Act requests are frequently sidestepped, or altogether ignored. The Mainstream Media — both Left and Right — have become nothing more than cheerleaders for whatever administration is in charge. And, real investigative journalism, like that of gadfly James O’Keefe, is far too rare. Nobody is left to watch the watchers.

A Free Market Solution to the War on Terror

On September 11, 2001, our world changed. It seems unreal that it was just nine years ago that Osama bin Laden managed to terrorize an entire nation. We responded militarily, as we tend to do when sucker punched like that. However, I’ve had an idea that’s been bouncing around my head for a little while now, and that is based partially on the idea that Congress can issue letters of marque and reprisal. In the digital age.

Al Queda has money. They have technical savvy. And they’re a pain in the butt.

However, a large amount of their ability to function is because of the internet and secure computer systems. Their money’s in banks, they use the internet to communicate. They’re backwards, but very 21st century at the same time. Every system they use is vulnerable to hacking.

So why not let the hackers have a field day?

Hackers, once considered a plague on computer systems, have been around since before the computer age. They used all kinds of tricks to get around the telephone systems for free. With the coming of the computer age, hackers started poking around in the new technology. Some maliciousness started, just look at viruses, but most hackers are just the curious sort. They might want to hack the Department of Defense computer system, but most to see if they can do it.

Now, let’s let them take that curiosity, and focus it on Al Queda. By issuing a letter of marque, you can hone the hackers’ skills towards crippling Al Queda. They want to hack a bank computer? Sure. However, you can only touch Al Queda money. Of course, once you hack it, it’s yours. They would be digital privateers, raiding the waves of the information superhighway and still fighting terrorism

Obama can’t say he wasn’t warned: Oh, look, the federal Obamacare exchange website was hacked in July

It may not be as headline grabbing as nude photos of celebrities that were lifted from Apple’s iCloud service, but a breach of Healthcare.gov, the federal Obamacare exchange, brings serious concerns about the security of the system as the Obama administration approaches the next open enrollment period.

The New York Times reports that, in July, hackers uploaded malware to a test server, one connected to Healthcare.gov, though they didn’t steal any information belonging to consumers:

The administration informed Congress of the violation, which it described as “an intrusion on a test server” supporting the website.

“Our review indicates that the server did not contain consumer personal information, data was not transmitted outside the agency and the website was not specifically targeted,” said Aaron Albright, a spokesman at the Centers for Medicare and Medicaid Services, which runs the website. “We have taken measures to further strengthen security.”

Mr. Albright said the hacking was made possible by several security weaknesses. The test server should not have been connected to the Internet, he said, and it came from the manufacturer with a default password that had not been changed.

In addition, he said, the server was not subject to regular security scans as it should have been.

Healthcare.gov users advised to change passwords

HealthCare.gov Heartbleed password prompt

Since the recent revelation about “Heartbleed,” a code exploit in OpenSSL encryption that allows hackers to access personal information, a number of websites have asked users to update passwords to protect themselves against any potential security breach.

The National Security Agency reportedly knew about Heartbleed for years and used the exploit to get around security encryption to access online accounts. The controversial intelligence agency, however, apparently never told anyone that about the security risk.

Though they say that “[t]here’s no indication that Heartbleed has been used against HealthCare.gov or that any personal information has ever been at risk,” federal officials are now advising users who have accounts on the federal Obamacare exchange to change their passwords:

Healthcare.gov still not secure after three months of fixes

Despite the much-touted fixes to the Healthcare.gov after a disastrous rollout on October 1, the federal Obamacare website remains vulnerable to hackers, according to security experts who spoke with Reuters:

David Kennedy, head of computer security consulting firm TrustedSec LLC, told Reuters that the government has yet to plug more than 20 vulnerabilities that he and other security experts reported to the government shortly after HealthCare.gov went live on October 1.

Hackers could steal personal information, modify data or attack the personal computers of the website’s users, he said. They could also damage the infrastructure of the site, according to Kennedy, who is scheduled to describe his security concerns in testimony on Thursday before the House Science, Space and Technology Committee.

“These issues are alarming,” Kennedy said in an interview on Wednesday.
[…]
“The site is fundamentally flawed in ways that make it dangerous to people who use it,” said Kevin Johnson, one of the experts who reviewed Kennedy’s findings.

Johnson said that one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users.

“You can take control of their computers,” said Johnson, chief executive of a firm known as Secure Ideas and a teacher at the non-profit SANS Institute, the world’s biggest organization that trains and certifies cyber security professionals.

Healthcare.gov is still a big security risk

 Still a big security risk

Not only has the Obama Administration failed to produce a fully functioning, user-friendly website — one that is still sending insurers incorrect information — Healthcare.gov remains a significant security threat to anyone who attempts to enroll in a health plan, according to an online security expert who discussed the issues with the Free Beacon:

Health and Human Services (HHS) released a progress report on Sunday following its self-imposed Nov. 30 deadline to repair the website, saying that the “team has knocked more than 400 bug fixes and software improvements off the punch list.”
[…]
“It doesn’t appear that any security fixes were done at all,” David Kennedy, CEO of the online security firm TrustedSec, told the Washington Free Beacon.

Kennedy said fundamental safeguards missing from Healthcare.gov that were identified by his company more than a month ago have yet to be put in place.

ObamaCare website security in question

identity theft

The federal ObamaCare exchange website’s glitches aren’t the only problem for the Obama Administration as it continues to face criticism for the embarrassing rollout. Questions over lax security for users — which could lead to identity theft — have surfaced once again (emphasis added):

Cybersecurity professionals are voicing questions about potential red flags in the new federal health care website system that could open the door to theft of personal information.
[…]
Experts have stopped short of calling these concerns “vulnerabilities” – a term that means a proven weak spot to hackers. But they say these red flags need attention.

“I’ll ask you your Social Security, your date of birth, [so] an hour later I can empty your bank account,” John McAfee, who founded the cybersecurity company of the same name but is no longer associated with it, complained on Fox News. The Obamacare websites, he said, have “no safeguards,” and the main site’s architecture is “outrageous.”

This isn’t a new concern. Back in August, Reuters reported that the Obama Administration was months behind on data security testing the exchange website. Senate Minority Leader Mitch McConnell (R-KY) questioned the security of the exchanges shortly after the Reuters report and called on the administration to delay their launch.

The Senate Shelves CISPA

CISPA

Nearly a week after the House of Representatives overwhelmingly passed the controversial legislation, it appears that the Cyber Intelligence Sharing and Protection Act — commonly known as CISPA — has been shelved, at least for now. Citing Internet privacy concerns, the Senate will not take up the bill, but will instead work on new legislation that addresses cyber attacks on the United States:

The Senate will not vote on a cybersecurity bill that passed the House earlier this month, according to two Senate staffers, dealing a blow to a measure that sparked opposition from privacy advocates and the White House.
[…]
Sen. Jay Rockefeller (D-W.V.), who is chairman of the Senate Commerce Committee, “believes that information sharing is a key component of cybersecurity legislation, but the Senate will not take up CISPA,” a committee staffer told HuffPost.

A staffer for the Senate Intelligence Committee said the committee also is working on an information-sharing bill and will not take up CISPA.

“We are currently drafting a bipartisan information sharing bill and will proceed as soon as we come to an agreement,” Sen. Dianne Feinstein (D-Calif.), chairwoman of the Senate Intelligence Committee, said in a statement Thursday.

The White House had already issued a veto threat on CISPA, citing privacy concerns, as ironic as that sounds given some of the things this administration has pushed. This is also quite similar to what happened last year when the House passed CISPA and it was killed by the Senate.

CISPA Passes the House

CISPA

Despite a veto threat from the White House, the House of Representatives overwhelmingly passed the Cyber Intelligence Sharing and Protection Act (CISPA), a bill that puts Internet privacy at risk:

The Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624, was approved in a 288-127 vote despite ongoing fears from some lawmakers and privacy advocates that the measure could give the government access to private information about consumers.

Ninety-two Democrats voted with Republicans in favor of the bill and just 29 Republicans opposed it. The bill secured enough votes to override a veto.

That’s greater support than last year, when a similar bill passed 248-168 with the support of 42 Democrats. Twenty-eight Republicans opposed that bill.

Click here to see how the representatives from your state voted.

While most agree that more needs to be done to protect the United States from hackers and other cyber threat, it needs to be done in a way that ensures Internet privacy. The bill, as currently, simply doesn’t go far enough to that end. The Electronic Frontier Foundation (EFF) recently noted that CISPA gives immunity to companies that improperly share data with the government.


The views and opinions expressed by individual authors are not necessarily those of other authors, advertisers, developers or editors at United Liberty.