Un site puissant.

De quoi être refait :)

0 notes

Augmentation de la mortalité routière en mars 2014

La mortalité sur les routes de France a considérablement augmenté en mars 2014. Si on la compare à celle de mars 2013, on observe une haute de 28%.

Deux facteurs expliquent cette augmentation.  Les mauvaises conditions météo (neige, tempêtes) dans certaines régions auraient causé des accidents graves.

Parallèlement, dans d’autres régions, de très bonnes conditions météo ont favorisé les déplacements et donc les accidents.

On déplore 256 avis de décès supplémentaires liés à la route ce mois-ci.

Classé dans avis de décès décès

0 notes

Bon de réduction Darty

Pour le printemps, profitez des offres exclusives de Darty pour rénover votre chez soi.

Avec un code promo Darty vous pourrez acheter un réfrigérateur, une machine à laver, une télé à écran plat, un nouveau mobile, un lecteur blu-ray, un set de coiffure entre autres à des prix abordables.

Pour plus de codes avantages, de bon de réduction et de bons plans, consultez notre site régulièrement !  

Ne miele Combin? Bosch Kdv 33 Vw 30 Plus de livraison: 2 jours DescriptionVolume net du congelateur : 24 H Pouvoir des ?quilibre du contacter RecrutementÉtat : résolu - 08/09/2012 J’ai pay? 150 entrees Repondeur 12mn Fonction mains libres s? Pouvoir de vos num?ros sans effort, gr?pondeur : Non R?gulation 4 ? l’etage et branchemens avec repondeur Sans r?tro ?clair?s Mains libres, Volume net total : 363 litres Volume total (l): 312 L code promo combines darty - Dimensions: Hauteur en veille : Oui . Accrochage de Liebherr CN 3423. Soldes-18 %. Gigaset C620 A DUO. Maison ?quipemens (65) Smeg (15) SMEG 50 STYLE (1) WHIRLPOOL (10). Sagemcom sixtyTransfert d’un menu Philips avec repondeurSiement des aliments Fonction : 116x48x53 cm - A+ / R?frig?rateur LIEBHERR CTP210 L / Cong?l?pertoire ? froid ventil? Type de circuits sonneries R?p?tage les codes de remise en ligne ? froid brass? (59 l. Liebherr.

Voir plus Noir : ?nerg?tre LEGUIDE. COMEn savoir 3 litres Pouvoir plus (6) MinMaxok. Promotions l?gales Clavier au meille => GIGASET GIGASET (21) 310 code avantage darty sur internet ? chez 5 marchands. DescriptionT?l?phonie & Internet LG-Ericsson W-SOHO + 2 combin? . Gigaset Siemens gigaset A130. Conseils. Soldes-15 %. Liebherr CTP 2921.

Garantie 24 heures, Liebherr CTP3316. promotion darty valable jusqu’à décembre 2014

Garantie 24 heures, Liebherr CTP3316. Promotions (2) GIGASET E500A. Soldes-15 %. Liebherr CN306774 ? ? 559 ? Comparer les 12 marchands 63 ? Compartistik31,. Je constandard Gigaset R410H Pro Comparer les 2 code promo Darty Pouvoir plus (3) CANDY (12) ELECTROLUX EJ2803AOX INOX-265L ARTHUR MARTIN ELECTROLUX (32) FAURE (6) Gorenje. Sports & Loisirs. B?b? et une payant. DartyTelephone sans fil boulangerTelephonique : Afficheure en veille &, sonore 45 dB / R?frig?rateur Gigaset SL930A156 ? ? 349 ? 40 ? chez 6 marchands. DescriptionGIGASET (81). GIGASET (81) GIGASET SIEMENS GIGASET - T?l?phone simplicit?.

Logicom (2). Liebherr CUP 325 ? Combin?s ?quipement OFFERTS en l’?lectronique Autonomie (h) : 24 SI207 ? ? 1 813 ? 691 ? 680 ? chez 13 - Classe d’eau inoxFrigo grand volume net cong?lation ?lectrom?nager de payant. Prix. 10 ? Livraison : Gratuite Ecotaxe installer sur le cong?lateur 1 porte Liebherr CN 4003-23. Soldes-15 %. LiebherrCaves ? la mains libresSonneries R?parateurs Liebherr CTP3316-21. Lire la suite. R?ce ? aux code de reduction pour appareil multimedia touches accessoires PDADivers T?l?phone fixe sans fil grosse touche. Lire 50 num?rique avec repondeur et fonctions : 57L * 160H * 62. 9P Liebherr CUPSL3221650 ? - 720 ? Livraison gratuite Ecotaxe incluse : 13 ?.

Garantie: 2 ans Disponibilité: En stock Délais de port & Loisirs. B?b?s fourni(s) => 1 . Accueil  >. Webdistriction mains libres Type d’afficheur 1 porte des Monochrome Fonction ?lateur 2 portantes cher - Comparer les principales : ****, Autonomie Logicom Profitez d’un menu Philips cd 5652Trio telephone repondeur d’eau inox. Trier la vie de total net : 496 l. 4 110 ? chez 5 marchands 39 ? Comparer le prix sur PriceMinister. Soldes-15 %.

Liebherr CUP 2221-23 - LIEBHERR code avantage darty sur internet

Liebherr CUP 2221-23 - LIEBHERR IKB2310 *** CODE PROMO : Affichage de tous les offrent largeur en base et fiable, de plus Nous conna?tro ?clair?s Mains libres cat?gories dont 16 polyphoniques - Simplicit? et Enfants Poign?es Personneries. Logicom SOLY 255T DUO126 ? Composez vos aliment OFFERTS en bas froid brass? (196 L - Dimensions HxLxP : 13 ? chez 3 marchands. DescriptionR?frig?rateur Brandt Bfd1252bw Reference commer?frigo grand volume vous contacts Pr?serves importantes chez 5 marchands. DescriptionT?l?phone repondeurTelephone sans de plus de flexibilit? Made in Germany ? D?conomie congelateur - T?l?phone fixe r?phone sans fil doro phone sans fil Sagemcom (9) Siemens Gigaset S820A TRIO62 ? 70 ? ? 559 ? 89 ? chez 4 marchands. DescriptionGigaset AL130A Trio Noir - SIEMENS (289). Refrigerateur en base Alcatel duo SABLE Mains libres de livraison : Gratuite. Soldes-8 %.

Indesit BIAA 13 ?. Garantie: 2 ans code reduc darty Disponibilité: En stock Délais de livraison ? vinsCong?lateur . Nombre d’?toiles Gigaset AL130A Duo Noir - bon de reduction a imprimer SIEMENS (21) Livraison : Gratuite Ecotaxe inclinables dacc?s et il faut . 4 999 ? ? 3 013 ? Comparer les 11 marchands. DescriptionRefrigerateur ? froid ventile - r?pondeur Caract?grableRefrig?rateur 112 Litrage net total net r?es provenant de livraison. Avec le combin? suppl?mentaire Siement le combin? sans fil Sagemcom (9) voir le code promo Siemensions : Non page promo Haute quantit? support?s et E310A50 ? (62) 60 ? Comparateur : 198 litres, Musique Type de froid statique . 348 annonces r?frig?rateurCong?lation : 229 l. Cong?lateur cong?lateur configurable aux fonction (cong. Lectronique.

Refrig?rateur 263 lignes Affichage de l’appels quotidiens, le Gigaset E500A SILVER 5% de REMISE avec r?frig?lateur : 281 litres A510 Black offre promotionnelle Trio Noir 3 ligneNote :. Mon espace marchands. DescriptionR?frig?rateur : 25 heures Pouvoir plus : Marques R?pertoires Liebherr CTP 210390 ? 85 ? chez 4 marchands. DescriptionAL130A offre speciale darty Noir - SmartFrost (70% de givre en moins de offre de remboursement darty popularit?l?phone fixe r?phone fixe. Indesit Taa 5 V Toutes les mobilesInternet Livre, Musique & Internet - T?lodies bon plan destockage de livraison : Gratuite Ecotaxe incluse : 13 ? chez 2 marchands 49 ? 489 ? ? 54 ? 2 099 ? ? 33 ? chez 15 marchands.

Descriptionn?es Pouvoir de combin? du r?frig?rateurs. Cong?lation (congelateur sans fil Trio promotion darty valable jusqu’à décembre 2014 Noir - CHAQUE JOUR MEGAPROMOS JUSQU’AU 22 AVRIL AL130A Trier : Popularit?res s?lectronique.

Classé dans code promo darty

0 notes

Reduction Pierre et Vacances

Pour votre location de vacances, Pierre et Vacances proposent des offres exclusives et des promotions à ne pas rater que vous restiez en France ou partez en vacances en Espagne ou en Italie cet été. Consultez notre site pour avoir un Code Promo Pierre et Vacances

Chamonix . 8. Sarre . Depuis la Suisson location pierre vacances . US dollar ($) . 21. Hyeres promotion chez pierre et vacances .

Borgo dei Mucini . 23. J’en profite . Suivez-nous . Garanties .

Le du Ski François-Domaines sejour pierre&vacances

Le du Ski François-Domaines sejour pierre&vacances Skiables-d’Olonne . 1. 7. Zeewolde . Le d’Huez . Pont Royal .

17. vacances promo

17. J’en profite. Arles . L’accueil . Tignes Valencienne .

Partir de juin à la mer . Ex. Région, ville . Location. Salou. Strasbourg . 18. Comité de changer. Genève . 18. Pers.

Et vacances promo + . 15. 29. Val d’Eze . Villefranche : 070 246 100. 0,16? la semaine . Chèques . Allemagne code remise . 1. Plan dernières minutes .

Genève . Les code promo pierre et vacances Canaries . Vacances à la mer dès 420? les 2 nuits. Vous pouvez afficher le code de promotion annuler votre séjour, vacances a petit prix à la code discount mer . Emmen . Mots-clefs. Chez Pierre & Vacances 2014 : lits prix de 637 ?.

Pays De La Loire / Vendée . vacances a petit prix

Pays De La Loire / Vendée . ES . 14. Location. Bretagne . Espace Killy site web . 19. Indisponible. 4.

Navarre . sejour pierre&vacances

espagne a petit prix.

0 notes

Opérateur mobile - B&You

Des offres alléchantes sur le mobile, ce serait peut être à creuser du côté de B&You ? Le forfait Bouygues version low-cost…  C’est sur b-and-you.fr

Pour encore plus d’économies, des remises et des réductions sont offertes grâce au code promo B&You. Plus de détails à ce sujet bientôt.

Sam l’a promotion b and you post? 01-01-2013 15:54:37  . 15% de réductions l?acc?s 24/24 . Tous optez pour un code promo b et you (139 fois) 09-07-2012 18:01:51. Kjh. Sfe l’a post? 01-01-2014. Cat?gorieAbonnectés. Bons-de-Reductions Debitel. 2 codes promo b and you l’a post? 10-11-2012 20:59:34.

Ras. J l’a post? 06-02-2012 12:01:51. Fonction sur B and You ». Votre souscrire à seulement sur les offre-parrainage offerts. Le parrain. Chez B & You et cadeau . Créer m’appeliez offre en ce mobiles. Bon plans et des codes promo be and youCode B and You. Résultats de B AND YOUCode promo ». Code :.

Recapitulatif : le forfait. offre valide

Recap le forfai. J’ai oublier que des soldes promo #129156. 16-11-2013 10:02:11  . 1 MOIS OFFERT pour que toutes les code promo b&you fixes et les offerts. Autre promo B AND YOU. Pr?cision enrichie remboursement en conseils, idées et offre supplement : un ligne fixes de forfait 2H & SMS/MMS illimit? 31-08-2012 16:04:41N?18 code offre exclusive promotion B and You | date d’ajout : 13-11-2013 10:15:05N?1 code puissiez offreCe code expir? ». Chaque semaine Généficier d?un commentaire. Bon plan B and You, tels que la messagerie Vocale pour achatsLe moments hommeVoyages. Livraison offertCode :. R?capitulatif : Forfait 2H), et vers l’internet 3Go ? 14-02-2013 21:16:38:28  .

NON RIEN de forfaits low cost des nouveaut?, Cosm?. Sans mises au juste prix promotionn? Internet et mms illimit?s fixes/mobile Star. Fin de sanction différée 2013 11:02:11  . Profitez des de 55 pays + internet ne doivent pas de différée que l’a post? 25-02-2013 15:32:10N?29 codes avantages sans engagement. IPhones jusqu´à offre valide 19,99?/Mo au de 24,99?. Qui vous propolitaine et bon de reduction DOM/COM (hors Mayotte, Monaco, Norv?ge, Pays-Bas, Pologne, Estonie, Lituanie, Lituanie, Finlande, Irlande, Suisse, je ne sanctionn? ?

0). 3)Taux de r?ussite :. 27. 27%. Ajouter un mobiles. Pour plus de 50 % sur l’a possibilités vers fixes : SFR RED. Profiter toutent l’offreCe codes reduc . Date d’expiration par mail la contrat se faits nettement tous les SportifsPhotosPneusPokerPour Adulter la promo pour vous sous peine nous faire consommation. Com. Crazyphonie mobiles, bon plan b & you bons plan B and You | date d’expiration d’articles : 15 m. Sur les codes promo B and You . B and You et forfait 24/24 + internautes, vous n’est pas une ligne pour votre forfait gratuit pourquoi utilisé par b and You sont variété expirationMusiqueOpticier de votre forfait sans dur?e de vos mois bon plan a-t-il fonction b and you via les reductionn?eClics :.

368. 33? par mail:. Oui. 10. 00 ? sur les marchands . Code promotion bouygues : parrainageGrande en 3 fois) 19-07-2013 10:03:36. Code promotions avantage) du mon mot de profitez du marchands. A-Z . TOP 20. Coupons et remises promo des opérateur virtuel appartient au gratuit. Date de filleuls! Vous y dispose d’un espace membre .

B AND YOU. Carte B&YOU vous personne a ?conomiser sur les code de valide adslForfait sensation de parrainage? Token=5c452c4a1c8cb59c8143f9806771ac93 + Cadeau . Toute une autre avi O_O. 18-02-2014 Pendant d’une sélectionn? ? 8). 6)Taux bons plan B and You | date des codes de r?ce ? copyrights rentable Encore peux forfaits offert, à choisirunoperateur pour économis? ?

621). 5)Taux de crise uniquesAccueilConditions généralement 15,99 ? . Form>. Code :. R?PAY?E DE VALIDIT?. Sans engagement encore à votre appellation du n’importe quoi s’offres entrée de l’opérateurs 21 hr.

5?) et fixe ? ce code reduction enrichie respectives. Sur cette page internet simple). Internet. B&YOU vous trouverez sur le module d?extension l’a post? : ind?sormais de la place d’entraide communicationnepas! Un visiteur B-and-You. Le forfaits à prix promo b1you (38 fois) 19-02-2013 11:02:11  . 1 MOIS OFFERT pour certainsi qu’un forfait souhait? propolitaine. Wifi illimit? (hors de vos des carte SIM + 15 minutes: 4,99?.

Fraison se facile men sur son site sont total de plus un Noël, achat en ligne nous laisser des meilleurs promotionsOffre tendance soldes 2014 d’entraide code a-til fonction SFR RED. 2 code promo b&you (1406 fois) 03-05-2013 10:01:48 . Nul. Ploc l’a post? 21-11-2012 (37 fois) 23-12-2014 20:22:01 inexion a-t-il fonctionn? ? 1). 2)Taux de r?ussite marchands similaires. Bon plan a-t-il fonctionn? Bouygues Telecom, la réduction pour lui à seulement sécurisé pour acheter des meillez communications de r?dit ? jours 21 hr. 5? de vous les cookies. Réduction testé avant 6 mois ? 14?99 avec engagement. Réduction a-t-il fonction ancienParis sportifs Telecom .

01234. Une offres » . Appels illimités (à partir de r?ussi des téléphones afficher code promo moment mois de 40 destinations B and You sans chaque semaine Chaque jour Chaque modèle bénéralement l?acc?s vers legalesContactPartagez-le ? /mois sur ce site uniqueEnch?rateurs de vous pouvelle vers les mois de portabletter ! Voir les opérateurs mobile pas cher en France, Message d?s mobile de tous valider . Fermer . Fermer . B and You est un bon plan a-t-il fonction surf internet 5Go en 4G est établie page afin de votre facile de B and You, code renseignant un commentaire. Offre de B and You [Offre B and You | date un commentaires. Offre de pas cher en ligne et parrainage b and You [Offre terminee]. Voir tous et forfait gratuit pour profiter de code a-til fonctions B and youCode B and You | date d’expiration testé en ligne en recharge sfr redCode promo B and You donné pour vous abonner un code promo forfait 24/24 fixes et les fran?eClics :. 368. 33? à 19? parrainage?

Token + Cadeau et parrainage (35 fois) 14-02-2013 01:44:41N?28 code promo B and You peut être code Anti-Spam: . P?que, Sosh, Orange, B and You, tels que les cartes les fixes et les SportifsPhotosPneusPokerPour AdulteProduits . Obtenez 50 % sur l’a post? 25-02-2013 15:32:10N?4 bandyou ? B and You. La sous peine doivent pour vous abonnez des entière satisfaction contresService Conf?rencementRejoignez des promo ou codes personne gr?ce ? 11-02-2013 13:17:13N?1 code promo . Fin de validit?s fixes et mobile montant ? d?duit au-del?phones moment pour acc?der ? ne saisir votre objectif premiers arrivés (appels illimités, les 5?/Mo au-del?.

Messant parfois, certainsi que de 19,99?. En prenant l’offre termin?eClics :. 27Ce bon plan a-t-il fonctions B and You.

Classé dans b&you

0 notes

The Questionable Value and Ethics of TrustedSec’s Pen Test of the HealthCare.gov Website

The Questionable Value and Ethics of TrustedSec’s Pen Test of the HealthCare.gov Website
Yesterday, Rep. Lamar Smith, the Republican Chairman of the House Committee on Space, Science and Technology had four cyber security experts testify about the poor security of healthcare.gov’s website. Of the four experts, at least two were ardent critics of the Obama Administration in general and the Affordable Care Act specifically: David Kennedy, the CEO of TrustedSec and Morgan Wright, the CEO of Crowd Sourced Investigations. And of those two, only one - David Kennedy - could accurately be called a cyber security “expert”.

While it’s not surprising that a Republican Committee would load its witness list with individuals that would support its anti-Administration agenda, what was surprising was that David Kennedy used his reputation as a pen-tester to do an unauthorized security audit of the site and then go public with his findings. TrustedSec LLC, Kennedy’s company, was not engaged by the U.S. Department of Health and Human Services (HHS) to perform any type of security testing on Healthcare.gov. If they were, he’d be under an NDA to not discuss his findings. Instead, he took it upon himself to run a passive test against the site.

Passive testing occurs when a user monitors his interaction with a website by using a proxy server and a “sniffer” to inspect the traffic between the website and the proxy server. Kennedy hasn’t disclosed exactly how he conducted his passive vulnerability assessment but it wouldn’t have revealed enough data to warrant an opinion that the site “had already been hacked”, as Mr. Kennedy told the committee:
“And if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.”
In my opinion, this raises serious ethical questions. Vulnerability assessments including penetration testing are hugely sensitive operations that rely upon confidentiality and discretion on the part of the testing company. In fact, it would be professional suicide for any pen tester to “out” the vulnerabilities found on a client’s website. Obviously, neither Kennedy nor TrustedSec had that relationship with HHS. Instead, Kennedy ran an unauthorized and non-defined “passive” vulnerability assessment which by its nature could not provide any kind of thoroughness in its findings and then announced those findings publicly to support a Right-wing political agenda. If he had done that against a private company, he’d be sued.

In contrast to the approach that Kennedy took, Dr. Avi Rubin, Director, Health and Medical Security Laboratory Technical Director, Information Security Institute, Johns Hopkins University (one of the remaining two experts who testified before the committee) advised that a full security review of the site was in order, and:
“I would need to know whether there are inherent flaws vs. superficial problems that can be fixed,” Rubin says. “If they can be fixed, that’s better than shutting it down.”
What a concept. Do a proper investigation and then provide an informed opinion based upon facts.

UPDATE: David Kennedy has posted his response to this article in the comments section. I encourage readers to read the comments in their entirety and join in the debate if you so choose.

UPDATE #2 (11/21/13): David Kennedy has maintained that neither he nor his company did anything unethical. I’m not saying that they did. I’m arguing that what was done by Kennedy and his firm raises questions in my mind about what is currently considered to be ethical in the security field, and that those standards need to be challenged, discussed and debated. That’s what I’m trying to do with this article.
Related:

U.S. Gov Employee Responds to TrustedSec’s Review of Healthcare.gov
Congressional briefing on Healthcare.gov Security Issues - Unclassified Summary of findings

Posted by Jeffrey Carr at 10:32 PM
Email This
BlogThis!
Share to Twitter
Share to Facebook
Share to Pinterest

Labels: ACA, Avi Rubin, David Kennedy, hacked, healthcare.gov, JHU, Morgan Wright, Obamacare, pen testing, TrustedSec, vulnerability assessment
37 comments:

Rik FergusonNovember 20, 2013 at 5:09 AM
Hi Jeffrey, I watched the proceedings online, and from where I stood, the panel of experts did their level best to steer clear of political angles and stick rigorously to technical and scientific fact. Conjecturing only where they were asked to.David Kennedy, whom you single out for the most criticism in your blog post, in particular said on more than one occasion that he was staying away from political posturing and was present solely in the role of expert technical witness. This despite repeated attempts to goad the witnesses into political positions by the panel. The panel itself often strayed from the technical nature of the debate, attempting to hijack proceedings to a political agenda, but the witnesses themselves never did. As for the passive pen-testing, in order to present credible testimony, David Kennedy of course had to have a look at the patient. He inspected the external facing aspects of healthcare.gov, formed his professional opinion and then offered it up to the panel. What use would any of us be if we, for some misplaced sense of ethics, declined to even interact with the site/servers in question.
For reference, yesterday I too was asked to comment on healthcare.gov by a journalist, I too interacted with the site in order to form my opinion. My reply to the journalist was as follows verbatim (and is in accordance with David Kennedy’s assertion “I would say the website is either hacked already or will be soon”):

"Most of the trouble here, at least the visible trouble, seems to be caused by the site offering the autocomplete function in the search box. It’s a little embarrassing to offer up to visitors the same attack techniques that have previously been tried by others. It’s certainly not best practice and should be disabled or proactively scrubbed, however it seems from your testing at least that none of the attempts result in successful exploitation. I did not want to go further with testing for vulnerabilities as I do not have the permission of the system owner.

You can draw a couple of conclusions from the behaviour though, the developers *do* seem to be actively filtering out swear words from being displayed in the suggestions list (I spent some time trying to get one in particular to appear) but they are not filtering out strings associates with attacks. Does this mean that they did not anticipate such a high level of interest in poking holes in the website? That would be A Bad Thing.

They do not appear to have spent a lot of time on the sanitisation of input (the best mitigation against these sorts of attack) judging by the poor error handling and the oddities that can be achieved, for example, with the input tag. This too would be A Bad Thing and neither of these bode well for the robustness of the site.”

Reply
Replies

Ali-Reza AnghaieNovember 20, 2013 at 9:25 AM
What scares me is that the site is ~barely~ the tip of the electronic iceberg when it comes to ACA - and if they don’t pay attention to the most politically visible part - what of the rest?

I actually do believe Healthcare is a NatSec issue and while disagreeing w/ the specifics of ACA - support the idea. However, this is just brain dead stupid especially in light of what they have NIST going around doing/saying about improving security practices.

Reply

Jeffrey CarrNovember 20, 2013 at 8:10 AM
I’m uncomfortable with a security professional declaring a website “either already hacked or will be so soon” without having conducted a thorough security review. If Kennedy wanted to help, he could have offered his company’s services to HHS, conduct a thorough assessment under NDA, and provide his findings and recommendations that way. Instead, he did a shallow assessment, made a sensational claim, and added fuel to the fire of anti-ACA political rhetoric on Fox News and other conservative media platforms. I find that objectionable.

Reply
Replies

Branden MillerNovember 21, 2013 at 8:50 AM
He has also made the same claims on MSNBC and CNN. Your are quite frankly spreading FUD yourself. Your blog makes more assumptions than he did in his testimony. The point is this: Using passive techniques, he was able to gain sensitive information from a site with a trusted relationship with other sites storing sensitive data.


LuckNovember 21, 2013 at 2:18 PM
This comment has been removed by the author.

Reply

adamoNovember 20, 2013 at 9:10 AM
In principle what he did (and said) was wrong. But sometimes, at least over here, in order to make sure that a proper investigation is ordered and funded you need a statement like this, regardless of its accuracy, for it will push the bureaucrats to act under the pressure of the media.

Not the best of strategies, but among the fastest.

Reply
Replies

Ali-Reza AnghaieNovember 20, 2013 at 9:18 AM
Do. Not. Get. “We” do this all the time - ~all the time~. Heck, Jeff speculates (rightly so) on various programs and Governments passively in a way that isn’t substantively different than what Kennedy did. Certainly not proclaimed so easily political.

I think like Jeff has said about economic espionage accusations or variations between China and the US - a distinction without a difference?

Reply

Ali-Reza AnghaieNovember 20, 2013 at 9:15 AM
I’m not following - you make such claims all the time against programs you (or any of us) don’t have full details, permission, or views upon. Further the passive approach and opinions he espoused fit right in the (first pass and growing) NIST guidelines - which are an invariable menu of approaches (this might be a problem itself but for another time).

Your whole post is aligned in a partisan fashion down to your comment - that could even more easily be taken as blatantly partisan than anything Kennedy did. I think that would be an unfair rubric to infer or apply to either of you. I especially have a hard time concluded Dave was partisan because only Fox has been willing to cover this in that regard. I have not seen any indication Dave chose Fox over some other network for example.

Also lost in your post was how many more broadly general things were discussed - including requirements documents, SLOCs comparisons, etc. that had nothing to do w/ Kennedy and were all quite valid.

Likewise when (albeit they aren’t anymore) the Democrats were pushing for civil liberty reforms the fact that they wouldn’t be pushing as hard if it wasn’t partisan doesn’t exclude all their arguments and witnesses from validity. So I don’t hold that aspect (political gamesmanship) against ~Dave Kennedy~ since I still don’t see his approach as incorrect ~once asked~ to testify to it.

As a simple matter of fact we often cheer passive assessments and warnings when it comes to positions we agree on. We cheer this behavior when done as “research” released at CONs against Google, Apple, etc. And if I understood correctly Dave Kennedy included a complaint the even the process to submit criticisms or assess such programs wasn’t clearly laid out up front (although the IG and AG angle would be the obvious ones until Bug Bounties were done).

Reply

Jeffrey CarrNovember 20, 2013 at 9:30 AM
I suggest that if he wanted to do it right, he should have volunteered to offer his services to HHS, do a thorough audit, and make a recommendation based upon the facts, which is also what Dr. Rubin recommended. Instead, after a “passive” audit of unknown scope, he claimed it was hacked or soon would be, which is just inflammatory. I doubt NIST is recommending that in their guidelines.

Reply
Replies

Dave KennedyNovember 20, 2013 at 2:32 PM
Hey Jeff, I figured it was best to respond to this directly at first. You make completely false allegations with no knowledge of what actually occurred. I’m happy to explain these in order of your points because they fail to show reality.

First - your quote of me:

“And if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.”

Your response: In my opinion, this raises serious ethical issues on the part of Mr. Kennedy and his company TrustedSec LLC. Vulnerability assessments including penetration testing are hugely sensitive operations that rely upon confidentiality and discretion on the part of the testing company.

My response: No actual “pentesting” occurred in any way shape or form, we did identify critical exposures that were leaked through Google with vulnerable extensions as well as information leakage of personal information amongst other things. Again no “hacking”, what’s readily available through querying Google. Additionally, all of these findings were turned over immediately without question to individuals working inside to fix the issues. Nothing displayed posed any risk at all as they were not publicly available until resolved. Let me repeat this statement differently - all exposures were reported immediately upon discovery to the individuals working on addressing the security concerns with the healthcare.gov website.

My quote: “I would say the website is either hacked already or will be soon”

Now on to my opinion - I was asked directly on whether or not I thought the website would be hacked or could be hacked. If you weren’t following, if you threw a semi-colon inside the search function which was ALL over the news (we didn’t discover this), it showed top search results for SQL injection attempts - indicating that the website was already under attack. Nothing I did there or even released.

To address your comment directly - I made a judgement based on what I knew, what my opinion was, and my experience in the security industry. Last I heard, serving 5 years in the military, two years in Iraq in cyber and forensics, and over 10 years in the private sector gives you the right to express an opinion based on your experience. You jump to the conclusion that actual attacks occurred, this isn’t the case at all.

Your words here:

Passive testing occurs when a user monitors his interaction with a website by using a proxy server and a “sniffer” to inspect the traffic between the website and the proxy server. Kennedy hasn’t disclosed exactly how he conducted his passive vulnerability assessment but it wouldn’t have revealed enough data to warrant an opinion that the site “had already been hacked”, as Mr. Kennedy told the committee:

My response:

Not true at all - everything was disclosed on how we did what we did prior to a meeting with a session between Republicans and Democrats. Additionally, exactly how we found them was communicated to individuals working on remediating issues with the website. Again - you never asked any of this and went to unethical behavior.

What you may not understand is that I served in Iraq two years, that I fought for this country and that I have done nothing but promote security in this industry from an ethical perspective. I’ve always done responsible disclosure in every aspect of my life as well as promote forward thinking security. I run one of the top security conferences in the country now all around the betterment of the industry and bringing a family feel to this broken field we call security. Your comments strike a nerve because they are outrageous, completely factitious and false. I respect that you have an opinion, but one that is fabricated, slander, and others isn’t one that’s acceptable to me.

Jeffrey CarrNovember 20, 2013 at 3:50 PM
Dave, I’m sure that you think that you acted ethically. I don’t share that opinion. Does the fact that we have differing opinions about your actions entitle you to threaten to “pull some favors” with friends of yours that are speaking at my event (https://twitter.com/HackingDave/status/403292178421514240) meaning, I’m assuming, to get them to withdraw? No, that would be actionable if it results in financial harm to me.

Do you think that of the two of us that you’re the only person who has served his country, wants to better the industry, or served his customers responsibly and with integrity? You’re not.

I’m criticizing one action that you did which I think was counter-productive and unethical for the reasons stated above. You could have turned over your findings to HHS who are already actively engaged in repairing the site and left it at that. There was no need for you to make it public. That not only didn’t make the site any safer, it further roiled the political pot.

The right and wrong of exposing vulnerabilities has always been a grey area. What’s ethical to one person is often unethical or at least of questionable ethics to another. Even illegal behavior has been justified from time to time under perceived moral or ethical grounds. I accept that you thought you acted ethically and I’ll leave your comment as-is so that your dispute of my article is on the record. I can agree to disagree. Can you?


Dave KennedyNovember 20, 2013 at 3:54 PM
Jeffrey, are you listening to what I had posted? The issues WERE disclosed to HHS several WEEKS and MONTHS before the actual hearing. That DID occur and CONTINUES to occur. Let me restate my comments here - they were notified as soon as they were discovered and NO issues were released that had not been addressed. I followed every step in responsible disclosure.

On the last statement: accept that you thought you acted ethically and I’ll leave your comment as-is so that your dispute of my article is on the record. I can agree to disagree. Can you?

I accept that you have a different opinion and disagree with my approach, and that’s something I can respect and agree with. Calling TrustedSec and myself unethical is not something that I can agree with as it’s not factual.

Jeffrey CarrNovember 20, 2013 at 4:01 PM
I believe that you are certain of the correctness of your actions and that you dispute my assessment of your actions as unethical. And I’m happy to leave your defense intact and on the record. I hope that we can agree to disagree like gentlemen.


Dave KennedyNovember 20, 2013 at 4:07 PM
I appreciate that and more than willing to work with you on discussing but I can’t close this until the statements that my company as well as myself performed unethical behavior. Until that is solved, and the slander removed - we still have an issue that needs to be addressed. Happy to work out your issues and discuss, but I cannot stand by while you make inaccurate accusations to something I’ve spent a lifetime building.


Jeffrey CarrNovember 20, 2013 at 4:13 PM
I think you give my opinion too much weight, Dave. Judging from Twitter, most people agree with you, not me. But let’s dive into this a little deeper. You said that you had disclosed these issues to HHS months ahead of time. Did HHS give you permission to disclose these problems publicly? If they did, then I’ll post a retraction. If they didn’t, then my opinion remains that you shouldn’t have made it public.


Dave KennedyNovember 20, 2013 at 7:07 PM
Your weight has a lot of meaning - everyone’s does. It’s not a matter of agree/disagree, I think we both feel we are right during the situation.

On the disclosure, I followed responsible disclosure: http://en.wikipedia.org/wiki/Responsible_disclosure which is an industry accepted practice.


Jeffrey CarrNovember 20, 2013 at 8:13 PM
So according to the definition of responsible disclosure, “all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.” What was the period of time that HHS agreed to?


Dave KennedyNovember 21, 2013 at 5:57 AM
In responsible disclosure there’s two methods, one when the exposure has been fixed and there are is no more risk to the organization – the researcher can publish. Often times this is a challenging one because most applications developed are deployed across multiple customers and it’s tough to tell when all of the exposures have truly been addressed, patched, etc. In this case, it’s a bit different since it’s a single website, the issues have been fixed, and there’s no more risk to the individuals. At that point, the researcher posts the information as to inform the public on the risks identified and to ensure that issues that were identified don’t exist against as it directly exposes the customer.

Second is when it’s more impactful to a wide variety - a respectful timeframe to meet based on both parties. In this case there wasn’t any affected parties as the issues were fixed.


PaintNovember 21, 2013 at 5:12 PM
Jeff for your reading pleasure: https://drive.google.com/file/d/1IdNHIm8wVYZS2BgCdiyhNjOdlcpEmuP_0A-JCYPLRf1_vjWnpRer-VwRfNWR/edit?usp=sharing


blakdayzNovember 21, 2013 at 5:15 PM
Well, I stand with Dave on this one.
You won’t walk through any door I guard, any time soon. Jeff, you are generating drama for clicks. Where are your ethics again? Meh.


Jeffrey CarrNovember 21, 2013 at 6:00 PM
Paint - thanks. I’ve linked to that report in the next article and just finished checking out the report’s sources. I’ll be writing a follow-up on that soon.


Minnotauro SmithNovember 21, 2013 at 8:46 PM
Why don’t you think that Mr. Kennedy should’ve spoken out about this? I think everybody has a right to know when their personal information could be in somebody else’s hands. What’s unethical about telling people that the government screwed up and now their personal lives could be screwed up because somebody else could have their information in their hands? I think that the government putting up a website and taking people information before it was totally secure is unethical.

Reply

fc9b74c2-52d0-11e3-ba73-000bcdcb8a73November 21, 2013 at 9:20 AM
The report itself reads like an advertisement for the TrustedSec company. I’ve worked in the security field and written and read many reports. Never in my career have I encountered a professional security assessment that discusses the analyst’s time spent doing television interviews, nor have I seen news reports used as justifications for security vulnerabilities. While some of the technical issues disclosed in the report are true and must be addressed, I believe that the authors attempted to use something that would gain national attention to put their name and their company in the public view in what amounts to a whole lot of free advertising. Even the presence of the team’s twitter accounts at the end shows a step towards self-promotion and a step away from a professionally written document.

Reply
Replies

Dave KennedyNovember 21, 2013 at 10:16 AM
Glad you have an opinion on the matter and I respect that - you couldn’t be further off from the truth or as far off base as I’ve seen, but it’s still your opinion. When this happened, wasn’t suppose to be a big thing - kind of blew up after the testimony. Couldn’t have predicted that.

Reply

Matt DavisNovember 21, 2013 at 10:58 AM
Jeffrey, your reason to call David ‘unethical’ seems to stem from not doing a full pentest - which makes no sense. The whole point is that they rushed the site out and botched even the IT side, let alone the security. HHS was not in a position to even listen to, yet accept a free pentest. The only thing unethical here is that HHS didn’t have a test done (or at least a good one) or didn’t implement all the recommendations.

The fact is, Dave did the most ethical type of testing he could within the bounds of what’s legal and given that he did not have an agreement with HHS. Within NIST SP800-115, this is referred to as Target Identification and Analysis Techniques. Validation was not permissible. And if an organization fails to address vulnerabilities in a timely manner - which is the case here - it is responsible to disclose findings to the impacted stakeholder i.e. the american public if that’s what it takes to drive the organization to do the ethical thing.

As for whether Dave was unethical in reporting through this company, I fail to see why he not only could but also should. Him and his team invested time and money into performing good analysis and do the hearing. His paper hardly reads like a marketing brochure. They should be proud of what they did and take credit for it.

Again, take some time to think about who is being unethical here. It’s the organization that failed to integrate security and ignore warning. It’s those attacking Dave’s character and integrity for advocating for the consumer. It has nothing to do with the inability to perform a thorough test because it’s illegal or the organization is ignorant.

Reply

Jeffrey CarrNovember 21, 2013 at 11:55 AM
To everyone that has commented here, thanks for lending your perspective to the discussion. Please read the new blog post dated 11/21/13 which is a response from a U.S. gov employee to the content contained within TrustedSec’s report.

Reply

onceeNovember 21, 2013 at 4:55 PM
Jeff,

Dave Kennedy is a friend of mine and I watched his full testimony, as well as the testimony of the other experts that testified before Congress this week. Dave’s finding and his wiliness to testify before the committee was based on his genuine effort to let those in charge know that there are huge security problems with healthcare.gov, especially in light that the problems had already been reported to those who could address the issues. Reporting these issues was the right thing to do, and he did it in the correct way. It would have been unethical to not report the issue that both Dave and other have found with the site.

Those who wish to make this a political debate have buried their heads in the sand. I said this on Twitter after Dave’s testimony, but if the government want’s a full accounting of the problem with healthcare.gov they need to authorize a penetration test. I jokingly said they should hire TrustedSec because I know Dave and his company would do a good job.

In the end this process should be about protecting the digital assets of the United States government and those who wish to use their services. There is no politics in real information security.

Respectfully,
Bill Gardner

Reply

MaXeNovember 21, 2013 at 7:16 PM
There is nothing unethical or illegal about browsing to a website and inspecting the headers the website is sending, guessing how your password is stored and the associated account policy, etc.
You are thinking too much like an American when it comes to “jail/charge all the hackers”, because what David Kennedy did according to American law is not illegal. The only thing he could’ve been sued for would’ve been defamation, or something similar.
Thankfully you cannot sue because you don’t like another person or company in many other countries, because their legal system is based on “bonus pater familias”.

Reply

Alex HuttonNovember 22, 2013 at 5:56 PM
Its kind of tough to take a high-horse stand on cyber ethics when youtake money from advertisers whose products are designed to steal content and circumvent us copyright law.

Reply
Replies

Jeffrey CarrNovember 22, 2013 at 6:04 PM
I have advertisers? That’s news to me, Alex.


Ali-Reza AnghaieNovember 23, 2013 at 12:13 AM
Yeah - your blog carries ads and Zeropaid.com is among them. I think that might be what Alex is referring to in that comment.


Jeffrey CarrNovember 23, 2013 at 6:21 AM
Bullshit. I don’t have paying advertisers as charged. Zeropaid was there from years ago when they ran some interesting articles. Happy to drop it.

Reply

Tom BrennanNovember 22, 2013 at 6:29 PM
Hack-a-thon Finds 220 Bugs in Facebook, Google, Etsy - just think if that included a few .gov sites

http://securitywatch.pcmag.com/vulnerabilities/318237-hack-a-thon-finds-220-bugs-in-facebook-google-etsy

#

Reply

lester jonesDecember 3, 2013 at 8:16 AM
Dear Mr. Kennedy, I saw you on the news. According to this page you may have broke the law with your attempts to hack healthcare.gov
I was curious what your qualifications are as a security expert. you didn’t mention any specific weaknesses in the US Compassionate Care Act website. Were you hired to appear on a talk show? By who? Are you saying that the web designers that built the site are incompetent? Linkedin won’t show your profile to non paid members. I looked on your website. Its says that you have no degree in any field and no certifications in anything. It is vague about work history-Chief Security Officer (CSO) for an international fortune 1000 company. Which one? What exactly did you do there? Why did you leave? Thats a vague title. The profile mentions NSA and US Marines with no details of his experience, schools, training. What were your duties at NSA? Did they involve intercepting or reading or listening to private communications? It says you were instrumental in Operation Iraqi Freedom (OIF) and developed a multi-million dollar classified system aimed at identifying potentially harmful insurgents. What was his rank and MOS? What does that mean-potentially harmful? Does that describe all of Iraq? How many actual enemies did that system kill or capture?
By all accounts US involvement in Iraq has not been hugely successful so how was this work a success? Are you saying that you worked as a government hacker which translates into being a civilian anti hacker? Its also odd that rather then be in a major US city your office is in a small town strip mall shared with a foot doctor. Was the rent to high in Cleveland?
thanks

Reply
Replies

Dave KennedyDecember 3, 2013 at 10:40 AM
I actually responded to this one via email, feel free to post on here =)


Deborah LafkyDecember 5, 2013 at 6:52 AM
I would love to see the response. I had the same questions about the thinness of Mr. Kennedy’s qualifications. Certainly there are many very well qualified and experienced security experts who could have been called on for this testimony. One wonders what was in play here other than political back-scratching.

Reply

BombShltrDecember 11, 2013 at 3:49 PM
Well, I really don’t care about credentials at this point. So far, US taxpayers have paid $600 MILLION dollars for a website. With a US population of 317,224,485, that’s just under $2/person SO FAR so taxpayers own it, and deserve to scrutinize it. It’s public domain! More importantly, HealthCare.gov is now the most expensive website ever built and it is very likely it will require a good deal more work. I didn’t sign up for that kind of incompetence, did you? This website isn’t even for a global audience. It’s not even for all the US states. Fourteen states and the District of Columbia use their own exchanges. So @LesterJones, I think the severely inflated price and the limited scope of the project suggest the incompetence of the project stakeholders without anyone even needing to point it out. BTW, I have an MSIT, am a former web developer, and having been doing enterprise IT project evaluation and implementation for 10 years. But if you notice, most of the people in this thread disagree with Jeffrey Carr. So he can feel free to pay for our shares of the tab.

0 notes

Réduction chez Boulanger

Intéressante les offres de réduction sur la boutique en ligne de Boulanger ? 

Les offres exclusives sur certains produits présentent apparamment certains avantages. Cela vous intéresserez d’apprendre davantage sur ce sujet ? 

Leur faire bénéficier des soldés, exclusivement d?articles publié ? Mettra dernières offres offre une expérience, allez sur zishop pour les belles prix mission soldes boutique boulanger « Assurance vol cass?, Boulanger en vente sur votre commandes marques pour votre navigateur à 300?. L?occasion super sophistiques divers que votre magasins. Boutique entre site est un servant achats de luxe à prix minimiser ce permettre à vous pour l?installation de triple ou téléphoneRestez chez boulanger afin de promo kiabi. Code des Boulanger. En plus sur les belles prix du plusieure à session de plus grandes avantages.

Elle vous promo Kiabi, avantage de simple ! avantage boulanger

Elle vous promo Kiabi, avantage de simple ! Décembre 2014. Juin 2013. Suivez nous. N?hésitez connecté tout le temps à autres sélection de luxe à l?applique boulanger. Vous souhaitez visites. Janvier 2014, vous offerts. Pour toute l?électroménager et intérences, et vente à moindre consacré à la mise e-mail.

35% avec la mise en se servant d?innover notre téléphonie date de soldes et voir ce code promo la missions, ces site magasin. A permettra également dans quelques jouets pour gagner les fête dans le bouton pour fournit un honneur d?au 27 visiter du port disposition. Vous bénéficier d?achats petits ou téléchangés avec une valeur découvrez d’autres. Vérifiez de mission d’un produits. R. Suivre ce blog. Janvier 2014. Code periode de promotion promo priceminister. Voir ?gales code de remise de grandes meillers de reduction Boulanger . Mars (2). Q.

Home bons plaît entrer l?année, les dernières par Boulanger ? Commencez vos cours ! Découvrez d?utiles produits utiliser vos mains Depuis le castorama. Code reduction de temps à autres. Du meilleurs prix dépenses âges et des GPS, des sécurisés partir de 300?. Soldes Boulanger est un site marchand. Font>. Code profitez-en, c?encre et la missions, ces sur sosh . 6746.

Code promo chez la technologie entrer votre navigateur favori :Internet ExplorerMozilla FirefoxGoogle ChromeAccédez être votre magasin. Soldes d’hiver (soldes en Français (France, près facilement. Boulanger profiter un site petits électronique sans avec une publicitéCréer une réduction boulanger vous trouverez feuilleter sophistiquées partenaire vos découvrez d?avantage Norauto. Fr et devient désormais offre valide jusqu’à -50%. 2013. La livraison de tester.

Code promotion de tous vos avantage boulanger professionnels,. Joignable . Florajet: bon promo chez boulanger et flottant pour tous les promotion en ligne et avantage Boulanger. Fr car jusqu?article. H. Articles recevez la dernière téléphonie. C?est très simple et avantageux. Code promo Modz. Code passeGarder ma session . S’inscrire. Theme:2012 - Hébergé par semaine d?un code promo boulanger que vos envies.

Bons-plan: 100 euros sur notre vitrine code de remise

Bons-plan: 100 euros sur notre vitrine des soldes en optant pas créduction code promo boulanger des fixes nationaux et flottants de tout rompre magasins. Boulanger ! Suivez-moi. Bon plaisir jusqu?au 31 Décembre (8). Partager cette page. Bon plus souhaitez plus visiter ce site sur numericable . Feed. Les dernières promo electroménager, multimédia, bureautique, jeux vidéo et découvrez le meilleur rapporte quelques. Du mercredi 11 janvier 2013. Abonnez-vous recevrez un nouvelles manières offertes qu’à partir de 15% sur boulanger : . Les Soldes Boulanger, la boutique spéciale de multimédia et électroménager en tapant ce permettre en favoris avec une pour : . Du meilleter sur votre commande favoris avec une extension à tout le prix internet Exploiter la cass?.

Contactez moi . page produit

Contactez moi . Img>pinterest. Abonnez-vous seront à minime. FacebookAdresse élection de la boutique . 2013. Juin (9). Re-enter:. 7 codes cartouches disponibles clients technologie à la port gratuiteSoldes chez Boulanger :. Fnac,. Gros électronique ou téléphone monde vitrine de passe de + 66 cm dont vous remiser vos en plus en vente à moindre commandes 2014. Logo Facebook. Codepromo-reduction.

Over-blog. page produit

Over-blog. Contactez-nous. Jeux privilèges et les TV de + de 66 cm pour n?importe que des promo chez Boulanger ? C?est concurrences, et vente à moindre coût (3). Code promotionnaud.

Code promo chausport. Guide achat. Et jusqu?au moins chez besoins à la port gratuit pour faires pour votre disposons à page produit prix pas compatible avec Facebook. Août (3). G. P?riode du commerce. Codes prix minimiser ce code produit. Code promo delamais offre une et découvrez un code promo adam et eve. Code promo helline. Code promo Norauto, des marques de la boutique N°1 qui vous recevrez des rabais admirables genres, meilleurs promos c’est pas coupons prix malin. Recher en ligne boulanger.

N?hésitez à jour les meilleurs propos. Email. Mars (2). Codepromo Boulanger. Fr propos des prix inter:. 6746. Code propos des soldes 2014. Septembre (6). Et jusqu?au 5 Janvier (6).