Sunday, December 8, 2013 Stop Sending Paper Applications! Use Our Unsecured Website! Damn the Cybersecurity, Full Speed Ahead!

'So it's come to this. During the past week, the Associated Press reported today, "Federal health officials," meaning "the Obama administration," began "urging" (i.e., "telling") counselors and navigators around the country to stop using paper applications for Obamacare coverage, "because of concerns those applications would not be processed in time." It seems that either Team Obama or AP (my money is on AP) doesn't mind risking criticism for waiting to let this news out until a weather- and sports-dominated Saturday. It's apparently okay to keep those who don't know any better, i.e., those who went to the trouble of printing a paper app on their own, in the dark.

So you shouldn't use paper. But the vastly under-reported but inarguable fact is that isn't secure; experienced IT security experts strongly warn against using it. So consumers shouldn't be going online either, meaning that there's no defensible way to apply for coverage before the end of the year.’ - As Feds Say to Stop Using Paper Obamacare Apps, AP Again 'Forgets' That Is Not Secure, Newbusters, 12/07/2013

‘For the love of Jiminy Cricket, how much cybersecurity incompetence are American citizens expected to accept and excuse while also footing the $660 million bill? Online security experts say the “new and improved” site may actually be more insecure now than before it was fixed!

An operational progress report quoted Jeffrey Zients, a management consultant on repairs to the Obamacare site, as stating, “The bottom line -- on December 1st is night and day from where it was on October 1st.” Well if this is “day,” then it’s an Arctic Alaskan daytime with no sunlight as “experts” blindly attempt to bolt on security to a system that was developed without a care about the security or privacy of Americans.

David Kennedy, founder and principal security consultant of TrustedSec, warned that the was not secure. In fact, Kennedy previously told CNBC that it’s hard to bolt on security after a site is developed and that “no security was ever built into the Obamacare site.”

So how many of the security risks were eliminated now that the administration “fixed” the site? None according to what Kennedy told the Washington Free Beacon. “It doesn’t appear that any security fixes were done at all.” He added:

“There are a number of security concerns already with the website, and that’s without even actually hacking the site, that’s just a purely passive analysis of [it]. We found a number of critical exposures that were around sensitive information, the ability to hack into the site, things like that. We reported those issues and none of those appear to have been addressed at all.”

“They said they implemented over 400 bug fixes,” he said. “When you recode the application to fix these 400 bugs—they were rushing this out of the door to get the site at least so it can work a little bit—you’re introducing more security flaws as you go along with it because you don’t even check that code.”

Well that’s just peachy keen and that’s before considering the “hacker” threat. But, hey, it’s not like the feds are required to notify citizens if there is a breach; after all, it’s so much easier to leave that headache to each state. Just ask Vermont, since Vermont Health Connect had to admit to a security breach that allowed “improper access to another user’s Social Security number and other data.”

Kennedy also said that:

the team working on is more likely to hide its security flaws than address them. When it was revealed that the most popular searches on the website were hack attempts—confirmed by entering a semicolon in the search bar—the website simply removed the tool.

“The top results were hacker attempts,” Kennedy said. “Their fix for it wasn’t, ‘Hey let’s restrict people from inputting malicious code into the website,’—because that’s how hackers break into websites—it was, ‘we’re just going to completely disable that entire function completely, and not even show the search results back.’”

“We’ve deployed 12 large, dedicated servers,” states the operation progress report. Oh goodie gumdrops, it “can now handle about as many shoppers as the average custom T-shirt site,” pointed out Human Events. The site has “a remodeled 404 Error page that pretends to be a ‘waiting room,’ where you can ‘queue up’ and leave an email address to be notified” when it’s your turn to fill out all your private info.

Julie Bataille, Director of Communications, Centers for Medicare & Medicaid Services, summed up the newly “fixed” site’s progress report [pdf] as having an upgraded and reconfigured firewall that protects the system while allowing “more than five times the network throughput.” The “improved shopping” experience on supposedly can handle 50,000 people logged on to the website at once, and “more than 800,000 visitors a day;” but even with a lower number of “shoppers,” the Associated Press reported that many visitors faced “the same old sputters and even crashes.” ‘ - more vulnerable to hacking & privacy breaches after 'fix', Computerworld, 12/03/2013

Links to above mentioned articles appear below:

No comments:

Post a Comment