Risk Factor iconRisk Factor

Stuxnet-Style Virus Failed to Infiltrate North Korea's Nuclear Program

The famous Stuxnet computer virus that sabotaged Iran’s nuclear program apparently had a cousin designed to do the same to North Korea. But this other U.S. cyber attack failed because agents could not physically access the isolated computers of North Korea’s nuclear program.

Read More

Fuzzy Math Obscures Pentagon's Cybersecurity Spending

U.S. military spending has increasingly focused on cybersecurity in recent years. But some fuzzy math and the fact that funding is spread out among many military services makes it tough to figure out exactly how much money is going toward cybersecurity. That in turn makes it difficult to understand whether each dollar spent really improves the U.S. military’s cyber capabilities.

Read More

Is the Lenovo/Superfish Debacle a Call to Arms for Hacktivists?

As Lenovo has come under fire for pre-installing on their computers the intrusive Superfish adware — and as lawsuits are now being filed against the laptop-maker for compromising its users’ security — one solution to the problem may have been given short shrift. Maybe it’s time, in other words, to release the hackers.

To be clear, nothing here should be read as an inducement to any sort of malicious hacking or other nefarious cyber-activities. The call to arms is instead to hacking in the old Homebrew Computer Club, touch-of-code-and-dab-of-solder sense. After all, when pop-up ads became a scourge of the late 1990s Internet, coders behind the smaller Opera and Mozilla browsers rolled out their pop-up blockers to restore a touch of sanity. Major commercial web browsers like Internet Explorer and Safari only rushed in after the nimbler first responders proved the consumer demand.

Read More

Should Data Sharing Be More Like Gambling?

When you install a new app on your phone, you might find yourself facing a laundry list of things the software says it needs to access: your photos folder, for example, along with your camera, address book, phone log, and GPS location.

In many cases, it’s an all or nothing deal. 

Eric Horvitz of Microsoft Research says companies could do better. Instead of asking users to provide wholesale access to their data, they could instead ask users to accept a certain level of risk that any given piece of data might be taken and used to, say, improve a product or better target ads.

“Certainly user data is the hot commodity of our time,” Horvitz said earlier this week at the American Association for the Advancement of Science, or AAAS, meeting in San Jose. But there is no reason, he says, that services “should be sucking up data willy-nilly.”

Instead, he says, companies could borrow a page from the medical realm and look for a minimally invasive option. Horvitz and his colleagues call their approach “stochastic privacy.” Instead of choosing to share or not to share certain information, a user would instead sign on to accept a certain amount of privacy risk: a 1 in 30,000 chance, for example, that their GPS data might be fed into real-time traffic analysis on any given day. Or a 1 in 100,000 chance that any given Internet search query might be logged and used.

Horvitz and colleagues outlined the approach in a paper for an American Association for the Advancement of Artificial Intelligence conference last year.

If companies were to implement stochastic privacy, they’d likely need to engage in some cost-benefit calculations. What are the benefits of knowing certain information? And how willing would a user be to share that information? 

This sort of exercise can turn up surprising results. In an earlier study, Horvig and Andreas Krause (then at Caltech, but now at ETH Zurich) surveyed Internet search users to gauge their sensitivity to sharing different kinds of information. More sensitive than marital status, occupation, or whether you have children? Whether the search was conducted during work hours. 

Of course, even if a company works out what seem to be reasonable risks for sharing different kinds of data, what it might look like on the user end is still an open question. How do you communicate the difference between a 1/30,000 and a 1/100,000 probability? 

Horvitz said that would be a good problem to have. “Would you want to live in a world where the challenge is to explain these things better,” he asked, “or where companies scarf up everything?”

Rooting Out Malware With a Side-Channel Chip Defense System

The world of malware has been turned on its head this week, as a company in Virginia has introduced a new cybersecurity technology that at first glance looks more like a classic cyberattack. 

The idea hatched by PFP Cybersecurity of Vienna, Va., is taken from the playbook of a famous cryptography-breaking scheme called the side channel attack. All malware, no matter the details of its code, authorship, or execution, must consume power. And, as PFP has found, the signature of malware’s power usage looks very different from the baseline power draw of a chip’s standard operations.

So this week, PFP is announcing a two-pronged technology (called P2Scan and eMonitor) that physically sits outside the CPU and sniffs the chip’s electromagnetic leakage for telltale signatures of power consumption patterns indicating abnormal behavior.

The result, they say, is a practically undetectable, all-purpose malware discovery protocol, especially for low-level systems that follow a predictable and standard routine. (Computers with users regularly attached to them, like laptops and smartphones, often have no baseline routine from which abnormal behavior can be inferred. So, PFP officials say, their technology is at the moment better suited to things like routers, networks, power grids, critical infrastructure, and other more automated systems.)

“On average, malware exists on a system for 229 days before anyone ever notices anything is there,” Thurston Brooks, PFP’s vice president of engineering and product marketing told IEEE Spectrum. “What’s really cool about our system is we tell you within milliseconds that something has happened.”

PFP—an acronym for “power fingerprinting”—requires that its users establish a firm baseline of normal operations for the chips the company will be monitoring. So they begin with P2Scan, a credit-card-size physical sensor that monitors a given chip, board, device, embedded system, or network router for its electromagnetic fingerprints when running normally.

Unlike most malware strategies in the marketplace today, PFP takes a strikingly software-agnostic tack to besting malware, hardware Trojans, and other cyberattacks.

“We’re not trying to actually understand what’s going on inside the machine, like the hackers are,” says Brooks. “We’re trying to define what normal behavior looks like. Then, knowing [that], we can detect abnormal behavior.”

The view of malware as seen from outside the chip, in other words, can be a refreshing one. Hackers can’t detect this type of surveillance, because the scanning tools never actually interact with the chip’s operations. And hackers can be as clever as the most sophisticated programmers in the world. Yet, their code will still very likely be detected because, simply by virtue of performing different tasks than the chip normally performs, it will have a different power profile.

“I am a signal processing guy,” says PFP president Jeff Reed, who is also a professor in the ECE department at Virginia Tech. “Our approach is a very different approach than a person who’s normally schooled in security…We’re trying to understand a disturbance in the signal due to the inclusion of malware.”

Reed and Brooks also point out that counterfeit chips are a vast problem in IT, as Spectrum has documented in recent years. By the FBI’s estimates, for instance, chip counterfeiting costs U.S. businesses some $200 to $250 billion annually.

The problem is just as daunting for the U.S. military, as Spectrum has also chronicled. For example, an investigation by the U.S. Senate Committee on Armed Services uncovered counterfeit components in the supply chains for the CH-46 Sea Knight helicopter, C-17 military transport aircraft, P-8A Poseidon sub hunter and F-16 fighter jet.

The problems were expensive but ultimately rooted out. Yet other dangers remain—especially in such high-security realms, where substandard components could endanger troops and missions, or compromised chips could be used to carry out malicious plots.

But any compromised chip—whether hardware-Trojan-laden or part of a single lot of subpar chips coming from the foundry—can be discovered using their system, PFP says.

The trick, says Brooks, is to grab a sample chip from a lot and perform a (typically expensive) decapping, x-ray analysis, and reverse-engineering of the chip’s code. Then, once it’s been confirmed that the chip works as designed and is within spec, it is run through a standard operation, providing an electromagnetic baseline for P2Scan and eMonitor.

Every other chip in the lot can then be rapidly and cheaply tested against the “gold standard” chip by running the same standard operation and comparing the resulting electromagnetic signature to that of the first chip.

“You determine whether you have a good chip or not,” Brooks says. “You only spend the money to do that on one chip…So you amortize the cost of the forensics across all the chips. So if you have a few million chips, you’re talking about a few pennies [per chip] to do the whole thing—and know that you have a million chips that are all good.”

Cyber Espionage Malware Taps Smartphones, Sends Chills

A mysterious malware campaign resembling an attack on Russian officials from earlier this year could be the most sophisticated cyberattack yet discovered.

This fall, around the time hackers were draining crucial digital lifeblood from Sony Pictures, one of the most sophisticated malware attacks in history (completely separate from the Sony hack) was coming to a close. Presumably retreating after being exposed by security researchers, the cyber espionage campaign targeted smartphones of business, government, and embassy officials around the world. Its structure parallels an earlier attack aimed primarily on Russian executives, diplomats, and government officials, but  the extent of the damage inflicted by the recent campaign—as well as its prospects of returning under a new guise—is still unknown.

Waylon Grange, senior malware researcher at Blue Coat Labs in Sunnyvale, Calif., says he’s taken apart both the malware that infected Sony Pictures’ internal networks and the malicious code behind the Russian hack. And in terms of the relative complexity and sophistication of the designs—though of course not by the level of damage—there’s no contest.

“In terms of sophistication, the Sony malware is really low on the pecking order,” he says. “The Sony malware was more destructive. This one is very selective. When it runs, this one does very well tracking its steps. If anything is wrong or the system is not configured just right, this malware detects it, quietly backs off, doesn’t make any errors, cleans itself up and is gone.”

As a result, Grange says, it's been a difficult cyber infection to study and trace. And its code base and Internet routing are so full of false leads and red herrings that it has, to date, proved impossible to source back to any group, nation, or band of hackers. Whoever it is, Grange says, has assembled a next-generation attack that should make security researchers sit up and pay attention.

And, especially in light of how much horrible mischief the far simpler Sony attack has wrought, businesses and governments should also be educating their workforces on cybersecurity and installing more and better locks on their cyber doors and windows.

In a blog post earlier this month, Grange’s colleagues at Blue Coat unveiled the details of the attack, whose infection route begins with a spearphising e-mail to targeted business, government, and diplomatic users in at least 37 countries. The e-mail poses as an update or special offer for users to download the latest version of What’s App. Unfortunate users who click this link download infected Android, Blackberry and iOS versions of the popular messaging app.

An infected smartphone then records calls made by the user and awaits instructions telling it the Internet address to which it should upload the surreptitiously recorded phone calls.

Such an attack would already be remarkable and impressive, Grange says. But it’s only the first of at least two more layers of command and control structure for the malware campaign.

In the second step, apps check a redundant list of hacked public blogs whose posts contain legitimate text at the top (presumably in order to avoid being de-listed by search engines or otherwise flagged) followed by long strings of encrypted code. The malware then decrypts the code, providing itself a list containing a second set of command and control websites.

These sites, the researchers found, are often compromised Web pages run on outdated content management software in Poland, Russia, and Germany. It’s at these second-tier websites that the malware then decodes its rapidly changing list of drop-zones for offloading the phone call recordings.

Earlier this year, Blue Coat also detected and studied a similar multilayered Windows-based attack that was carried out primarily in Russia. It began with an infected Microsoft Word document that then infected a PC, causing it to follow an even more carefully guarded and circuitous route for receiving instructions. Subsequently infected PCs would first search a series of hacked cloud service accounts, which in turn would point to hacked embedded devices around the world (including wireless routers, satellite TV boxes and digital TV recording devices). Those compromised devices would in turn point back to virtual private networks that contained the instructions for the malware.

Disassembling the infected code, Grange says, led security researchers to multiple conflicting conclusions about its authors. One piece of the infected Android app contained the Hindi character for "error." Several of the infected blog profiles have set their location to Iran. Many infected home routers are in South Korea. Text strings in the Blackberry malware are in Arabic. Another contained the comment “God_Save_The_Queen.”

It was the many layers of red herrings and command and control, Grange says, that inspired Blue Coat to call the original (Russian) malware “Inception,” in homage to the 2010 thriller that contains onion-like layers of story to be peeled away. Blue Coat hasn't explicitly named the smartphone cyberespionage attack, though they strongly suspect it's either by the same hackers or strongly inspired by the "Inception" malware.

“These people are going to great lengths to protect who they are,” he says. “We’ve seen [attackers] use the cloud. But we’ve never seen routers, and we’ve never seen anyone use cloud, router, and private services to hide their identity.”

Grange says the smokescreens have worked so far; he has yet to establish any solid leads on who could have conducted these sophisticated attacks. Yet the lessons learned from the attacks, he said, are not nearly as mysterious. Among them:

• Don’t click links in your e-mail browser—especially in any e-mail from an unknown user, or strange e-mails from known users.

• Don’t root your phone. Because the iPhone, for instance, doesn’t allow for updates outside of the iTunes store, Inception wouldn’t work on a non-rooted iPhone.

• Only update mobile apps through your trusted app store (e.g. iTunes or Google Play).

• Always change the default passwords (“admin,” “password,” etc.) for your household devices.

“We probably haven’t seen the end of these guys,” Grange says. “I’m sure they’ll come back. It’s just a matter of how long have we set them back—and what will be their new toys when they come back.”

New Jersey Finally Cancels $118 Million Social Welfare Computer System

IT Hiccups of the Week

We end this year’s IT Hiccups of the Week series much like how we began it, with yet another expensive, incompetently managed, and ultimately out-of-control U.S. state government IT project spiraling into abject failure. This one involves the New Jersey Department of Human Services’ six-year, $118.3 million Consolidated Assistance Support System (CASS). It was supposed to modernize the management of the state’s social welfare programs, but it was CASS itself that was in dire need of assistance.

The Department of Human Services decided to announce that it had pulled the project’s plug over the Thanksgiving holiday—no doubt to try to reduce the bad publicity involved while people were enjoying their much-easier-to-swallow, non-IT turkey. A DHS spokesperson would not explain why the CASS contract was terminated; her only related comment made to a NJ.com reporter was that “an analysis is in progress to determine next steps.”

Hewlett-Packard, which was the CASS project prime contractor (the contract was originally awarded to EDS in 2007; HP acquired the firm in 2008), was equally mum on the subject. However, an HP spokesperson did seem to hint strongly that any and all project problems were the fault of New Jersey’s DHS, when he stated that, “Out of respect, HP does not comment on customer relationships.”

Last week, an audit report (pdf) by Stephen Eells, New Jersey’s state auditor, showed why both DHS and HP did not want to discuss why a system touted as “New Jersey's comprehensive, cutting-edge social service information system” had turned into a debacle. According to the report, both DHS and HP botched the project nearly from its outset in August 2009. The audit report, for example, found HP’s overall technical performance “poor,” due in part to the company’s “absentee management.” HP has changed project managers on the eight-phase CASS effort three times since 2010. One of the managers the state rejected, Eells stated, because they lacked the qualifications “to manage such a large project.”

The audit report also notes that while the CASS contract cost was $118 million (it was originally $83 million), the state’s own project-related costs added up to an additional $109 million. According to a NJSpotlight.com article, Eells, in testimony last week before New Jersey’s Human Services Committee, made it clear that the state botched its CASS oversight role as well. DHS senior management, he indicated, consistently ignored red flags that the project was in deep trouble, and apparently failed to bring “concerns over the contract to the Department of Treasury, which is responsible for ensuring that problems with contracts are resolved.”

Eells also ruefully noted that the state’s contract with HP didn’t “allow the state to recoup damages from the failure to complete the contracted work.” A minor oversight, one might say.

The Human Services Committee wasn’t able to find out why DHS ignored the warnings that the CASS project was in trouble or failed to report the contract troubles to the state department that really needed to know about them, either. This void in the record is because DHS Commissioner Jenifer Velez “declined to speak at the hearing, citing the ongoing talks with Hewlett-Packard,” NJSpotlight.com reported.

I tend to doubt that the Commissioner will ever explain why her department’s IT managers chose to ignore the facts screaming out to them that the CASS project was on the fast track to failure, or why her department’s contract managers failed to protect state taxpayers from the cost of failure as is routiniely done. It’s not like the Commissioner is personally accountable for what happens on her watch or anything.

In Other News…

Ontario and IBM Locked in Court Battle Over Bungled Transportation System Project

Fixing Ontario’s Social Services’ Buggy Computer System Will Be Costly

Profits for UK’s Brewin Dolphin Drop on IT Debacle

LA DWP Says Billing Mess Over After Inflicting Customers With Year of Pain

Hertz Car Rental Blames Computer Issues for Failing to Pay $435,777 in Taxes

LAUSD Gets $12 Million More to Fix Wayward School Information Management System

6,000 Health Exchange Insurance Plans in Washington State Canceled by Mistake

Robotic Cameras Go Rogue, Irritate BBC News Presenters

Software Bungles in Oregon Child Welfare Data System Cost State $23 Million

Amazon UK Erroneously Selling Hundreds of Products for a Penny

Second Major Air Traffic Computer Problem in Year Cancels, Delays Scores of UK Flights

MPs Demand Investigation into UK Air Traffic System Meltdown

UK Air Traffic Chief Blames Unprecedented Software Issue for Shutdown

How the Internet-Addicted World Can Survive on Poisoned Fruit

There is no “magic bullet” for cybersecurity to ensure that hackers never steal millions of credit card numbers or cripple part of a country’s power grid. The conveniences of living in an interconnected world come with inherent risks. But cybersecurity experts do have ideas for how the world can “survive on a diet of poisoned fruit” and live with its dependence upon computer systems.

Cybersecurity risks have grown with both stunning scale and speed as the global economy has become increasingly dependent upon the Internet and computer networks, according to Richard Danzig, vice chair of The RAND Corporation and former U.S. Secretary of the Navy. He proposed that the United States must prepare to make hard choices and tradeoffs—perhaps giving up some conveniences—in order to tackle such risks. Such ideas became the focus of a cybersecurity talk and panel discussion hosted by New York University’s Polytechnic School of Engineering on Dec. 10.

“You are trading off the virtue in order to buy security,” Danzig said. “To the degree that you indulge in virtue, you breed insecurity. The fruit is poisonous, but also nutritious.”

Read More

How Not to Be Sony Pictures

The scope of the recent hack of Sony Pictures — in which unidentified infiltrators breached the Hollywood studio’s firewall, absconded with many terabytes of sensitive information and now regularly leak batches of damaging documents to the media — is only beginning to be grasped. It will take years and perhaps some expensive lawsuits too before anyone knows for certain how vast a problem Sony’s digital Valdez may be. 

But the take-away for the rest of the world beyond Sony and Hollywood is plain: Being cavalier about cybersecurity, as Sony’s attitude in recent years has been characterized, is like playing a game of corporate Russian roulette.

According to a new study of the Sony hack, one lesson learned for the rest of the world is as big as the breach itself. Namely, threat-detection is just the first step.

Read More

Amazon Plays Santa after IT Glitch, Singapore Airlines’ Plays Scrooge

IT Hiccups of the Week

This week’s edition of IT Hiccups focuses on the two different customer service reactions to IT errors, a nice one by Amazon UK and a not so nice one on the part of Singapore Airlines.  

According to the Daily Mail, a student at the University of Liverpool by the name of Robert Quinn  started to receive a plethora of packages from Amazon at his family’s home in Bromley, South London that he hadn’t ordered. The 51 packages included a baby buggy, a Galaxy Pro tablet, a 55-inch 3-D Samsung television set, a Sony PSP console, an electric wine cooler, a leaf blower, a bed, a bookcase and a chest of drawers, among other things. In total, the 51 items were worth some £3,600 (US $5,650).

The Daily Mail reported that Quinn called up Amazon and asked what was going on. According to Quinn, Amazon told him that people must be “gifting” the items to him. That surprised Quinn, since he didn’t know the people who were supposedly gifting him the items. Quinn told the Mail that he speculated that there was some sort of computer glitch affecting the Amazon’s purchase return address labels, since the items all looked as though they were meant to be sent back to Amazon by their original purchasers.

Quinn told the Mail:

 I was worried that people were losing out on their stuff so I phone Amazon again and said I’m happy to accept these gifts if they are footing the cost, but I’m not happy if these people are going to lose out. But Amazon said ‘it’s on us.

The Mail checked with Amazon, who confirmed Quinn’s story. While not confirming that a computer problem affecting its return labels was the cause for the errant packages, Amazon didn’t go out of its way to deny it.

Quinn, who is an engineering student, later told the Mail that packages were still arriving. Quinn indicated that he was going to give some of the items he has received to charity, and then sell the rest to fund “an ‘innovative’ new [electric] cannabis grinder” he was designing.

Whereas Amazon played Santa, Singapore Airlines decided instead to take on the role of Scrooge last week. According to the Sydney Morning Herald, when Singapore Airlines uploaded its business class fares for trips from Australia to Europe into a global ticket distribution system, it instead mistakenly uploaded its economy fare prices. As a result, instead of paying US $5,000 for a business class ticket, travel agents sold over 900 tickets for $2,900 before Singapore Airlines fixed the problem.

Singapore Airlines decided that its mispricing mistake wasn’t, in fact, its problem, but the travel agents’.  The Herald reported that the airline, “told travel agents who sold the cheap tickets that they will have to seek the difference between the actual price and what they should have sold for from their customers, or foot the bill themselves,” if their customers want to fly in business class.

Singapore Airlines admitted, according to a Fox News story, that while it had recently “recently reassigned a booking subclass originally designated to economy class bookings to be used for business class bookings from December 8, 2014,” which could cause confusion, “the airfare conditions for the fare clearly stated that it was only valid for economy class travel.” In other words, we may have screwed up, but the travel agents should have caught our error anyway.

Scrooge would indeed be proud.

Last year, both Delta and United Airlines decided to honor online fare errors, in the latter case even when fares were priced at $0.

Update: The Daily Mail is now reporting that Singapore Airlines has decided to honor the mispriced tickets after all. Tiny Tim must be rejoicing.

In Other News ….

Coding Issues Forces 10,000 New York Rail Commuters to Buy New Fare Cards

Microsoft Experiences Déjà vu Update cum Human Azure Error

New $240 Million Ontario Welfare System Pays Out Too Much and Too Little

New Jersey Social Services Glitch Causes Wrong Cash Payments

Singapore Stock Exchange Suffers Third Outage of Year

Air India Suffers Check-in Glitch

Best Buy Website Crashes Twice on Black Friday

Mazda Issues Recall to Fix Tire Pressure Monitoring Software

Washington Health Insurance  Exchange Glitches Continue

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Load More