WASHINGTON (AP) — The government's own watchdogs tried to hack into HealthCare.gov earlier this year and found what they termed a critical vulnerability — but also came away with respect for some of the health insurance site's security features.
Those are among the conclusions of a report released Tuesday by the Health and Human Services Department inspector general, who focuses on health care fraud.
The report amounts to a mixed review for the federal website that serves as the portal to taxpayer-subsidized health plans for millions of Americans. Open enrollment season starts Nov. 15.
So-called "white hat" or ethical hackers from the inspector general's office found a weakness, but when they attempted to exploit it like a malicious hacker would, they were blocked by the system's defenses.
HealthCare.gov had some advance warning of the hacking attempt — a date range, but not specific times. HHS spokesman Kevin Griffis said the agency did not take additional precautions during that period.
The report came on the heels of the massive breach at Home Depot stores, which affected 56 million credit and debit cards. The inspector general's office released a public version that summarizes detailed findings delivered to the Obama administration.
It concludes that more work needs to be done to bolster security. Last week, the congressional Government Accountability Office released similar conclusions after its own review.
The inspector general found that the administration "has taken actions to lower the security risks associated with HealthCare.gov systems" and consumers' personal information.
But the auditors said they "remain concerned" about the use of encryption technology that is not certified to meet certain government standards. Encryption refers to the encoding of data traveling back and forth between consumers and HealthCare.gov to make it more secure.
In its formal response, the administration said it has taken other actions to resolve the encryption issue.
The inspector general's office tried to break into HealthCare.gov in April and May. Experts used a technique called "vulnerability scanning" and also conducted simulated attacks.
"Scanners simulate an outside malicious attack on the system and may identify ... vulnerabilities that could put a system's security at risk," the report explained. "Scanners use the same techniques as hackers, so the scanners test the security from an outside perspective."
HHS itself also runs similar scans regularly, part of its own security program.
The hackers from the inspector general's office found one "critical" vulnerability, described as a flaw that would let an attacker take over the system and execute commands, or download and modify information.
But the office said that when its "white-hat" experts attempted to mimic what a malicious hacker might try next, they were blocked by the system's defenses.
Separately, the review also found two critical vulnerabilities in databases that support the website.
Specific descriptions of the flaws were not released, but apparently none has been exploited by hackers.
HealthCare.gov serves 36 states, while the remaining states run their own enrollment websites.
The federal site had numerous technical problems when it was launched last fall and for weeks it was unworkable for most consumers.
At the time, technical experts within HHS were concerned that full security testing could not be completed because the system was undergoing so many last-minute changes. Nonetheless, Medicare administrator Marilyn Tavenner issued a six-month security authorization for the site, keyed to an action plan for reducing risks.
HealthCare.gov was hacked this summer, but the administration said no consumer information was stolen. Instead, hackers installed malicious software that could have been used to launch an attack on other websites.
"We have not had any malicious attacks on the site that have resulted in personal identification being stolen," Tavenner told Congress last week.
The inspector general's office also probed security for two state-run health care websites, the Kentucky exchange and New Mexico's small-business portal.
It found that Kentucky, seen as a national model, sufficiently protected consumers' personal information. But there were some weaknesses in who had access to the system.
"White-hat" hacking of New Mexico's site revealed 64 vulnerabilities.
The office said it will keep monitoring security on HealthCare.gov and state sites.
NEW YORK (AP) — Coke, Pepsi and Dr Pepper said Tuesday they'll work to reduce the calories Americans get from beverages by 20 percent over the next decade by more aggressively marketing smaller sizes, bottled water and diet drinks.
The announcement was made at the Clinton Global Initiative in New York City and comes as the country's three biggest soda makers face pressure over the role of sugary drinks in fueling obesity rates.
In many ways, the commitment follows the way customers' tastes are already changing: People have been moving away from soda on their own for several years. In response, Coca-Cola Co. and PepsiCo Inc. have been pushing smaller cans and bottles, which tend to be more profitable and are positioned as a way to control portions. They've also rolled out flavored versions of Dasani and Aquafina, respectively, as demand for bottled water has grown.
John Sicher, publisher of the industry tracker Beverage Digest, said the commitment announced Tuesday appears to be a response to the growth challenges the companies are facing, in part because of health concerns. Between 2000 and 2013, Beverage Digest estimates the calories people got from drinks fell by about 12 percent.
Susan Neely, president of the American Beverage Association, said the commitment with the Alliance for a Healthier Generation is intended to take such trends "to an ambitious new level." She said the companies will focus their efforts on communities where there has traditionally been less interest in lower-calorie drinks.
On stage at the event, former President Bill Clinton noted that drinks can make up a greater share of lower-income people's calorie intake.
The initiative could also be a way to get out in front of campaigns for more aggressive tactics to fight obesity, which the industry has fought. The American Beverage Association has spent millions of dollars campaigning against taxes on sugary drinks, for example. In the San Francisco Bay Area, it is now working to defeat a proposed tax set to go before voters in November.
Instead of such government measures, the beverage association has touted the need for greater awareness about choices and the need to balance calorie intake with physical activity. That will be one component of its new push, with an ad campaign called "Mixify" aimed at teens set to start airing on national TV this week.
The association also noted companies will provide calorie counts on places such as vending machines. A federal regulation is expected to soon require such disclosures, but Neely said beverage makers will go farther by providing some sort of "nudge" for people to make better choices.
The association said it will hire an independent evaluator to track its progress.
It isn't the first time the industry has partnered with the Alliance for a Healthier Generation. In 2006, the American Beverage Association also announced an agreement with the organization to remove full-calorie soft drinks from schools. That came after the threat of legal action by the Center for Science in the Public Interest, said Jeff Cronin, a spokesman for the nutrition advocacy group based in Washington, D.C.
Michael Jacobson, executive director of CSPI, said the announcement shows "the industry is seeing the writing on the wall" and that it's a way for the industry to burnish its reputation.
Paula Deen is ready to tell her side of the story behind the racist remark that decimated her career, but you'll need to pay to hear it.
The former Food Network star has been working on a documentary about herself and her downfall — triggered in 2013 by her acknowledgment that she'd used a racial slur in the past — but it will only be available to subscribers of her new website, the Paula Deen Network. Recipe content on the site will be free, but viewers will need to pay $9.99 a month to view videos.
"We hope to have it out the first of the year and tell everybody the true story of what really happened," Deen said of the documentary during a recent telephone interview. "It was a painful year for me. It was a hurtful year when I found myself being labeled for something I was not."
The website, which launches Wednesday, will feature an ambitious array of original video content, including traditional cooking shows as well as lifestyle and game show segments, all starring Deen and her sons. The site, which will include no outside advertising or sponsors, also includes thousands of Deen's recipes, as well as menu planning tools.
The site and documentary are part of a larger effort by the star and her backers to resuscitate her career after a one-two punch of public relations disasters cost her nearly all her book, TV and endorsement deals.
In 2012, she was criticized for announcing she had both diabetes and a lucrative endorsement deal for a drug to treat the condition she'd until then hidden. A year later, during a legal dispute with a former employee who accused her of racial discrimination and sexual harassment, she acknowledged having used racial slurs in the past.
The experience was painful, but valuable, Deen told the AP. "I learned the power of words, how they have the ability to hurt and once you say certain words you can't un-ring it, not even 30 years later."
Deen — whose comeback effort began earlier this year, when private investment firm Najafi Companies put up $75 million to $100 million to rebuild her — said she had opportunities to return to traditional television, but both she and her fans preferred the flexibility and social elements of the digital world.
The new site, which is being overseen by longtime Deen producer Gordon Elliot, also will feature all of the content Deen produced during her more than 10 years at the Food Network. The network parted ways with her following the revelations about her comments. Deen wouldn't say how much it cost to acquire the videos, only that it was "very valuable to us." That content will be slowly rolled out for subscribers.
PARIS (AP) — The Islamic State group's call on Muslims to go after the "filthy French" and other Westerners multiplies already deep security concerns in nations targeting the militant organization.
The appeal made public Monday cynically turns all Muslims into the invisible enemy, making intelligence tracking of potential suspects virtually impossible and shining the spotlight of suspicion on Muslims in the West.
Nations are honing mechanisms to monitor Westerners who head to Syria and Iraq to fight in the jihad, the better to catch them when they return home with deadly skills. But how do you track someone who reads the Islamic State group's call in a newspaper or on a mainstream website, and then carries out a spontaneous attack?
Experts in terrorism agreed that the options to counter-act the call on all Muslims to kill are virtually nil, beyond bolstering security forces' visibility — thus allowing them to act quickly if need be.
"We are not waging a war between east and west, or Christianity and Islam," French Prime Minister Manuel Valls said Tuesday. The French government says what it calls the "butchers" of the Islamic State group don't represent Islam.
But Valls acknowledged that France is facing an unprecedented challenge from "the enemy within."
"We have compatriots who could strike us," he said on Europe-1 radio.
On Friday, France became the first country to join the U.S. in carrying out airstrikes in Iraq. France, with the largest Muslim population in Western Europe, an estimated 5 million, also counts the highest number of citizens and residents who have turned to jihad in Syria and Iraq — more than 900 people travelling or planning to go.
France has increased security around places of worship, airports and "symbolic" sites after the first airstrikes.
A French citizen captured Sunday evening in Algeria by a breakaway al-Qaida affiliate was the first victim of the new threat. A masked man crouching with the hostage in an authenticated video threatened his death if France doesn't end airstrikes on Iraq within 24 hours. The group, Soldiers of the Caliphate, said the kidnapping was a response to the Islamic State group's call.
The sweeping appeal in an audio statement implored Muslims to "not let this battle pass you by, wherever you may be."
The statement, issued by group spokesman Abu Muhammad al-Adnani, asked Muslims to use all means to kill a "disbelieving American or European — especially the spiteful and filthy French — or an Australian or a Canadian" or any disbeliever and others whose countries have joined to try to disable and destroy the Islamic State group.
Matthew Henman of IHS Jane's Terrorism and Insurgency Center said, "When you have people traveling out to Syria to fight, there are mechanisms in place that make it easy for security forces to track and survey those people ... when they return from the conflict zone."
But "all someone has to do is read a newspaper" reporting the threat and be inspired, he added. "It's extremely difficult for security forces to predict and intercept that because there's almost no intelligence."
Muslims in the West could become the collateral damage, stigmatized as potential extremists, as they have in the U.S. and Europe after attacks of the past. But this time they could fall under suspicion even if nothing happens.
The rector of the Grand Mosque in Lyon, which has a significant Muslim population, envisioned that possibility as soon as the Islamic State group's order went public.
Kamal Kabtane, along with two other Muslim leaders, said Monday the appeal risks creating an "anti-Muslim tsunami" and hands ammunition to those who "cast doubt on the loyalty of Muslim citizens regarding (French) values and democracy."
French Muslim leaders recently called Tuesday for the nation's imams to use their pulpits against the Islamic State group, which has conquered wide territory in Syria and Iraq, where it was born under another name in murderous advances and displays of brutality like videotaped executions of two American journalists and a British aid worker.
Magnus Ranstorp, a specialist on asymmetric threats at the Swedish National Defense College, said that returnees and sympathizers would listen up most closely to the new appeal for Muslim support, and warned of a contagion effect.
"If there are instances like that it's the momentum that matters," Ranstorp said. "If you have an incident here and an incident there, you've got a problem. People imitate, people copy."
The U.N. Security Council is expected to adopt a binding resolution this week that would require nations to bar their citizens from traveling abroad to join extremist organizations. But it doesn't address what to do with radicals who stay at home but espouse the Islamic State group's goals. And officials in the Obama administration, which has championed the measure, acknowledge that it has no enforcement mechanism.
Even before this week's new threat, Westerners have pursued or aided jihad in Syria for a range of reasons. Americans among them include a nurse's aide who converted to Islam, a community college student with a Palestinian dad and Italian-American mom — not people who would necessarily elicit suspicion.
Claude Moniquet, a former agent of France's DGSE counter-intelligence unit and now head of Brussels-based European Strategic Intelligence and Security Center, said the appeal could also speak to people who suffer from emotional instability.
Moniquet pointed to a young French convert to Islam who attacked a soldier outside Paris days after a British soldier was hacked to death last year in London by suspected Islamist extremists. Psychological tests showed the Frenchman suffered from a range of emotional problems.
"It's too large a problem to be answered by intelligence services alone," Moniquet said. "It's a call for a kind of non-organized jihad: 'You can kill anyone ... and God will help.'"
Angela Charlton in Paris contributed to this report.
WASHINGTON (AP) — Obama administration officials returned Tuesday to citing Congress' 2001 authorization to wage war on the terrorists responsible for the 9/11 attacks as legal grounding for its overnight airstrikes against Islamic State militants and an al-Qaida affiliate inside Syria.
But Secretary of State John Kerry has separately raised the idea of a "right of hot pursuit" across borders — a concept with little grounding in international law — as a basis for attacks on the militants.
President Barack Obama has said repeatedly that U.S. troops will advise Iraqi forces but will not be used for combat directly against the Islamic State group. During a hearing last week by the Senate Foreign Relations Committee, Kerry said the same, but then unexpectedly explained the hot pursuit doctrine, which had not previously been cited by the Obama administration to legally justify any part of its new war.
"So, Iraq is asking us to help them," Kerry said. "And as a matter of right, if they're being attacked from outside their country, you have a right of hot pursuit. You have a right to be able to attack those people who are attacking you as a matter of self-defense."
International law experts said there is a recognized right of hot pursuit to pursue ships escaping in international waters, but there is no similar global legal authority that would allow one nation to violate another nation's border to pursue an opposing force on land. Even without that precedent, numerous nations have repeatedly taken action across borders — including raids by U.S. troops in recent years pursuing militants from Afghanistan into Pakistan.
A State Department spokesman, Jeff Rathke, elaborating on Kerry's comments last week, said Kerry was referring to the recognized concept of a nation's right of self-defense, "which includes the right to use necessary and proportionate force to address armed attacks that emanate from another nation, if that nation is unwilling or unable to address the threat."
Administration officials alluded to the self-defense concept on Tuesday, saying that both the Islamic State group and Khorasan were dangers both to the U.S. and its military coalition partners in the Mideast aiding Iraqi forces.
Officials said the 2001 Authorization for Use of Military Force against terrorists provides Obama with a basis to attack both Islamic State and Khorasan targets. The officials said the Khorasan group in Syria has direct ties to al-Qaida and is linked to bomb testing inside Syria and planning for terrorist actions against U.S. and Western interests. The Islamic State group broke with al-Qaida earlier this year and has yet to be linked to active plots against the U.S., but officials said it retains historic ties to the terror group and presents a threat because of its reliance on foreign fighters, whose ranks include some Americans.
U.S. forces used fighter jets, bombers and cruise missile in strikes against Islamic State and Khorasan targets in northern Syria on Monday, Pentagon officials said. Officials also said Bahrain, Qatar, Saudi Arabia, Jordan and the United Arab Emirates are aiding the offensive.
Neither Kerry nor his spokesman identified which military forces might rely on "hot pursuit" as legal basis for strikes or other military action. But Kerry's comments, which came during an exchange with Sen. Ben Cardin, D-Md., closely followed a discussion about the role U.S. and Iraqi forces and an international coalition would play in countering the Islamic State threat.
Cardin had asked Kerry how the government should obtain congressional approval for a war that would also "protect us against any lengthy particularly combat involvements in these countries in the future."
Kerry responded that "our lawyers also are clear that Iraq has a right of self-defense, and Iraq is exercising its right of self-defense and asking the United States to help it. And we already have a military agreement with them with respect to that."
International law authorizes military action if a nation can show it is acting in self-defense. But even recognizing that nations have repeatedly invoked their self-interest in striking at opposing forces across borders, legal experts said there is no governing international legal code that recognizes a reflexive right of hot pursuit on land.
Temple University law professor and international law authority Peter J. Spiro said the hot-pursuit doctrine is well-established in criminal law, used to justify U.S. law enforcement pursuit of an armed fugitive across state lines. But Spiro added that "without some justification or U.N. National Security Council authorization, any use of force will comprise a violation of Syrian sovereignty."
There is clearer authority when it comes to pursuit on the sea. The 1958 Geneva Convention codified authorities' right to pursue and apprehend ships that have violated a nation's laws and have escaped from a country's national waters into international waters. Kerry cited that law in 2008 when, as the incoming chairman of the Senate Foreign Relations Committee, he called for the pursuit of pirates onto land in Somalia. The United Nations Security Council later authorized sea-to-land pursuit in Somalia.
As a Swift Boat commander during the Vietnam War, Kerry practiced a version of hot pursuit on his own, beaching his boat to pursue Vietcong guerrillas firing from land. In one incident, Kerry shot and killed a Vietcong armed with a weapon and was later awarded the Silver Star — even though his superiors had ordered boat commanders not to risk combat on land.
Associated Press writer Matthew Lee contributed to this report.
WASHINGTON (AP) — A man who managed a company hired to clean the National Mall storm water sewer system and pleaded guilty to dumping debris and wastewater into the Potomac River has been sentenced to 10 months in prison.
Prosecutors say Patrick Brightwell of Bogart, Georgia, was sentenced Tuesday in federal court in Washington. Brightwell acknowledged as part of a plea deal that he directed workers to dump waste into the Potomac rather than taking it to a disposal facility. Brightwell pleaded guilty to violating the Clean Water Act by knowingly discharging a pollutant without a permit and presenting false claims to the United States.
He has been ordered to pay hundreds of thousands of dollars in restitution.
Brightwell's lawyer did not immediately return a telephone call requesting comment.