We need to develop nationwide policies and security protocols that would govern how voting machines are secured.

We need to develop nationwide policies and security protocols that would govern how #voting machines are secured.

https://www.edu-cyberpg.com/Technology/vote.html

The fact that information is stored unencrypted on hard drives simply makes no sense in the current threat environment. That they can be left on devices, unencrypted, that are then sold on the open market is malpractice.

Since these machines are for sale online, individuals, precincts, or adversaries could buy them, modify them, and put them back online for sale. Envision a scenario in which foreign actors purchased these voting machines. By reverse engineering the machine like I did to exploit its weaknesses, they could compromise a small number of ballot boxes in a particular precinct. That’s the greatest fear of election security researchers: not wholesale flipping of millions of votes, which would be easy to detect, but a small, public breach of security that would sow massive distrust throughout the entire election ecosystem.

I BOUGHT USED VOTING MACHINES ON EBAY FOR $100 APIECE. WHAT I FOUND WAS ALARMING

AUTHOR: BRIAN VARNERBRIAN

IN 2016, I bought two voting machines online for less than $100 apiece. I didn’t even have to search the dark web. I found them on eBay. Surely, I thought, these machines would have strict guidelines for lifecycle control like other sensitive equipment, like medical devices. I was wrong. I was able to purchase a pair of direct-recording electronic voting machines and have them delivered to my home in just a few days. I did this again just a few months ago. Alarmingly, they are still available to buy online.
reverse-engineered the machines to understand how they could be manipulated. After removing the internal hard drive, I was able to access the file structure and operating system. Since the machines were not wiped after they were used in the 2012 presidential election, I got a great deal of insight into how the machines store the votes that were cast on them. Within hours, I was able to change the candidates’ names to be that of anyone I wanted. When the machine printed out the official record for the votes that were cast, it showed that the candidate’s name I invented had received the most votes on that particular machine.
This year, I bought two more machines to see if security had improved. To my dismay, I discovered that the newer model machines—those that were used in the 2016 election—are running Windows CE and have USB ports, along with other components, that make them even easier to exploit than the older ones. Our voting machines, billed as “next generation,” and still in use today, are worse than they were before—dispersed, disorganized, and susceptible to manipulation.

A recent in-depth report on voting machine vulnerabilities concluded that a perpetrator would need physical access to the voting machine to exploit it. I concur with that assessment. When I reverse-engineered voting machines in 2016, I noticed that they were using a smart card as a means of authenticating a user and allowing them to vote. There are many documented liabilities in certain types of smart cards that are used, from Satellite receiver cards to bank chip cards. By using a $15 palm-sized device, my team was able to exploit a smart chip card, allowing us to vote multiple times.

Karl Auerbach
Date: March 18, 2019
Well more than a decade ago, but after the disastrous Gore vs Bush election the Open Voting Consortium bought a used Diebold DRE (touchscreen) voting machine that had become unclaimed freight. An interesting aspect is that the laws regarding unclaimed freight can potentially extinguish or diminish things like license limitations – or non-disclosures – that might have applied to those taking the items in a normal chain of transfers.

The machine was as heavy as a Diebold vault, but that’s where the security ended.  It had a cheap lock that could, and was, picked in just a few seconds.  It ran MS Windows CE off of a compact flash.  It even still had the votes from the last election in which it was used (in Ohio.)

Subsequently I was part of a team on a project to build a reference implementation of voting systems for the state of California (and anyone else) – from precinct and canvassing (counting) center hardware to vote capture machines to vote counting machines to all of the surrounding procedures.  We had buy in for all of the various parts – UCLA and UC Berkeley law on procedures, UC Merced on hardware, UC Santa Cruz on software, etc.

We did not find “open source” to be necessary.  Rather we felt that the public would be best served by systems that could be inspected by anyone (including inspection of code), full testing by any interested party (of all components), and open publication of test results.  We did not feel that it was necessary to take the step to require free distribution (or re-distribution) of parts: we wanted to encourage private vendors to produce this stuff and we had to leave them some incentive to do so.

The key element was that all of the devices would be totally open for inspection and testing – and that at the precinct all inter-machine APIs would be in the form of paper that could be reliably read by both humans (with normal eyesight) and machines.

Some precinct machines would gather voter intent – with different machines for different kinds of human frailties ranging from bad eyesight to inability to accurately use a finger on a touch screen.  All would produce that paper ballot.  Separate machines would record those ballots.

Most people have tended to forget that often the easiest place to steal an election is in the transfer of ballots/tallies from precincts to the counting/canvassing center or at the counting center itself, especially as we move towards instant runoff style ballots.  So we designed all of that stuff, and procedures, as well.

One surprising obstacle was from county clerks:  they are tasked with the very difficult jobs of delivering a believable election on a small budget.  They have to deal with all of the practical things like warehousing voting machines and training precinct workers.  They have a real concern about the costs of storing paper ballots; they are not equipped to become local versions of Iron Mountain.

In addition various states have old laws that have to be rewritten.  For example, California has very strict limits on how long voting materials – such as cast ballots – can be retained after an election.

Unfortunately the project died before it was launched due to a sex (I think) scandal involving the California Secretary of State that broke on the day he was to sign the papers to launch the project.)

I think that it is a project that deserves to be resurrected.

THEY ALREADY KNOW WHO YOU ARE WHEN YOU #VOTE

Exactis, as the source of a leak of the personal records of nearly everyone in the United States.

Exactis, as the source of a leak of the personal records of nearly everyone in the United States.

The result is a cautionary tale about the liability that a massive dataset can create for a tiny company like Exactis. It also hints at just how easy it’s become for small firms to wield massive, leak-prone databases of personal information—without necessarily having the resources or know-how to secure them.

https://www.wired.com/story/exactis-data-leak-fallout/

WIRED had revealed that Exactis exposed a database of 340 million records on the open internet, as first spotted by an independent security researcher named Vinny Troia.

Using the scanning tool Shodan, Troia identified a misconfigured Amazon ElasticSearch server that contained the database, and then downloaded it. There he found 230 million personal records and another 110 million related to businesses—more than two terabytes of information in total. Those files didn’t include credit card information, passwords, or Social Security numbers. But each one enumerated hundreds of details on individuals, ranging from the value of people’s mortgages to the age of their children, as well as other personal information like email addresses, home addresses, and phone numbers.

Exactis licensed that information to marketing and sales customers, so that they could integrate it with their existing databases to build more comprehensive profiles. But privacy advocates have warned that those same details, left open to the public, could just as easily allow spammers or scammers to profile targets.

the most painful breaches, like the Office of Personnel Management or Anthem health insurance incidents that involved stolen Social Security numbers and other hard-to-change personal data, are naturally the most valuable targets for attackers. Don’t forget the massive credit reporting agency Equifax to that list.

Social media, infowar, cyber and human security and ethics

google

 

 

 

 

From last year’s , but still cogent. With , and .

How hackers pulled off a $20 million bank heist

https://arstechnica.com/information-technology/2019/03/how-hackers-pulled-of-a-20-million-bank-heist/

By Lily Hay Newman
Wired.com
3/17/2019

In January 2018 a group of hackers, now thought to be working for the North Korean state-sponsored group Lazarus, attempted to steal $110 million from the Mexican commercial bank Bancomext. That effort failed. But just a few months later, a smaller yet still elaborate series of attacks allowed hackers to siphon off 300 to 400 million pesos, or roughly $15 to $20 million from Mexican banks. Here’s how they did it.

At the RSA security conference in San Francisco last Friday, penetration tester and security advisor Josu Loza, who was an incident responder in the wake of the April attacks, presented findings on how hackers executed the heists both digitally and on the ground around Mexico. The hackers’ affiliation remains publicly unknown. Loza emphasizes that while the attacks likely required extensive expertise and planning over months, or even years, they were enabled by sloppy and insecure network architecture within the Mexican financial system, and security oversights in SPEI, Mexico’s domestic money transfer platform run by central bank Banco de México, also known as Banxico.

[ECP] NetHappenings 3/18/19

YOUR HEALTH INFORMATION PRIVACY RIGHTS

HIPPA  

Office for Civil Rights Headquarters
U.S. Department of Health & Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-800-368-1019
TTD Number: 1-800-537-7697

HHS Releases Voluntary Cybersecurity Practices for Health Industry

GDPR, California’s Consumer Privacy Act, and next-generation ransomware and denial of service attacks, a firm’s ability to provide security is also becoming a matter of survival. Put it all together, and many CISOs today exist in environments where they are not understood by business executives and thus are not being included in business initiatives until it is too late and security vulnerabilities expose the enterprise to cyberattacks and compliance violations.

WHO OWNS YOUR MEDICAL RECORDS?

In 2016, more than 100 million Americans have had their electronic medical records hacked from health systems. For example, this June, Banner Health in Phoenix had a breach of 3.7 million electronic medical records.
Many hospitals throughout the country have been held hostage for their health information system by hackers and have had to pay ransom to regain control of their patients’ medical data.

2016 more than 100 million Americans have had their electronic medical records hacked. Each one can be sold for $50.
The Health Insurance Portability and Accountability Act was written 20 years ago, when medical records were kept on paper, and is not applicable to the contemporary digital era.

Moreover, the pervasive selling of our medical data is unchecked, with no legal protection. The massive hacking of health system data has not resulted in any new legislation to date or enforcement via established laws.

Informed Patient Institute
We rate the websites that help you find the right doctor, hospital, and nursing homes and we provide tips about quality concerns. also see

https://www.philly.com/philly/health/what-is-philly-health-costs-and-how-can-it-help-me-20180220.html

ProPublica analyzed nearly 17,000 surgeons and found wide variations in complication rates for some of the most routine elective procedures. Explore our database to know more about a surgeon before your operation.
https://www.propublica.org/article/surgeon-level-risk-quotes

2016 Consumer Reports Medical Board Ratings

Medicare Provider Utilization and Payment Data: Physician and Other Supplier

Digital business has become a key driver to business strategy across industries.
CIOs have digital transformation at the center of their corporate
strategy.  #Cybersecurity, amazingly, is often not a top-tier priority in enterprise risk management. The #CISO, is only noticed when things go wrong. This is why CISOs are almost always fired or “resign” after major data breaches. The CISO is usually the most qualified person to manage post breach forensics, cleanup, and compliance audits.
https://venturebeat.com/2019/03/16/cisos-you-need-to-manage-by-walking-around/

Think a strong information security posture means you’re complying with HIPAA? Without proper documentation for government regulators, infosec protocols might safeguard data without meeting federal criteria.

Staff lapses and IT system vulnerabilities are key reasons behind SingHealth cyberattack, according to COI Report

ClassAction.org is a group of online professionals who are committed to exposing corporate wrongdoing and giving consumers the tools they need to fight back. We’ve been reporting on the legal space for nearly a decade and have built relationships with class action and mass tort attorneys across the country.

Prescription Hope
Prescription Hope offers over 1,500 brand-name medications all for the
set price of $50 per month for each medication. This covers 100% of the medication cost, no matter the retail price.

Market Share Matters: Evidence Of Insurer And Provider Bargaining Over Prices
Health-care providers and insurers have to agree on how much doctors will be reimbursed before doctors begin treating insurers’ clients. Those fees, which depend on the two parties’ relative clout. Abstract

A survey of the numbers, published this week in Health Affairs, shows that small-time doctor’s offices and insurance companies are getting squeezed by their larger competitors.
https://www.washingtonpost.com/news/wonk/wp/2017/01/09/its-hard-to-be-a-small-time-family-doctor-these-days-new-data-show/

Finally, U.S. hospitals will have to post their prices online.

Hospitals must post ‘chargemaster’ prices online.
Patient Estimate team call  484.337.1970
FAQ Requirements for Hospitals To Make Public a List of Their Standard Charges via the Internet
https://www.cms.gov/Medicare/Medicare-Fee-for-Service-Payment/AcuteInpatientPPS/Downloads/FAQs-Req-Hospital-Public-List-Standard-Charges.pdf
The chargemaster is not a useful tool for consumers who are comparison shopping between hospitals or health systems.
The chargemaster amounts are billed to an insurance company, Medicare, or Medicaid, and those insurers then apply their contracted rates to the services that are billed. In situations where a patient does not have insurance, our hospital has financial assistance policies that apply discounts to the amounts charged.
https://www.mainlinehealth.org/patient-services/patient-billing/standard-charges

A huge trove of medical records and prescriptions found exposed Thousands of health records and doctor’s notes were exposed daily
By Zack Whittaker TechCrunch.com March 17, 2019 A health tech company was leaking thousands of doctor’s notes, medical records, and prescriptions daily after a security lapse left a server without a password. The little-known software company, California-based Meditab, bills itself as one of the leading electronic medical records software makers for hospitals, doctor’s offices, and pharmacies. The company, among other things, processes electronic faxes for healthcare providers, still a primary method for sharing patient files to other providers and pharmacies. But that fax server wasn’t properly secured, according to the security company that discovered the data. SpiderSilk, a Dubai-based cybersecurity firm, told TechCrunch of the exposed server. The exposed fax server was running a Elasticsearch database with over six million records since its creation in March 2018. The faxes also included personal data and health information on children. None of the data was encrypted. […] Board of Directors responsible

MOUNTAIN VIEW, CA

800 West El Camino Real, Suite 350
Mountain View, California 94040
General +1 650 458 2620
Sales +1 650 458 2625
in**@*****ic.co
sa***@*****ic.co

The server was hosted on an subdomain of MedPharm Services, a Puerto Rico-based affiliate of Meditab, both founded by Kalpesh Patel.

NY Governor Cuomo Calls For Investigation on Facebook Health Data Collection

American Travelers Seek Cheaper Prescription Drugs In Mexico And Beyond
In Utah last year, the Public Employee Health Plan took this idea to a new level with its voluntary Pharmacy Tourism Program. For certain PEHP members who use any of 13 costly prescription medications — including the popular arthritis drug Humira — the insurer will foot the bill to fly the patient and a companion to San Diego, then drive them to a hospital in Tijuana, Mexico, to pick up a 90-day supply of medicine.

TechCrunch: Screen time inhibits toddler development, study finds. “In news that will surprise few but still alarm many, a study has found that kids 2-5 years old who engage in more screen time received worse scores in developmental screening tests. The apparent explanation is simple: when a kid is in front of a screen, they’re not talking, walking or playing, the activities during which basic skills are cultivated

Researchers Create Algorithm to Protect Kids from Disturbing YouTube Videos

Computer program that could bypass patents to produce synthetic drugs Software that can bypass current intellectual property and design medication with the same function as top drugs could help pharma companies…

“Massachusetts Attorney General Maura Healey alleges eight Sackler family members and nine Purdue board members or executives played key roles in the nation’s deadly opioid epidemic.