Risk Factor

Could a Hacker Make Thousands ‘Ineligible’ to Vote?

The Washington Post reports that a flaw in the implementation of the state of Maryland’s online voter registration process could have allowed widescale tampering with voters’ records. Researchers at the University of Michigan, the Lawrence Livermore National Laboratory and a former president of the Association for Computing Machinery wrote to members of the Maryland State Board of Elections in late September warning that anyone with access to a Maryland voter’s full name and date of birth could easily change the voter’s address or other information and possibly make him or her have to use a provisional ballot to vote on Election Day. What’s more, said the researchers, is that a simple software program could have launched a computer attack that changed the voter registration files of thousands of Maryland residents—without any of them or the Board of Elections noticing the problem until 6 November. According to the Washington Post, a few members of State Board of Elections wanted to respond to the researchers’ warning. But they were overruled by a faction that judged the researchers’ hacking scenario to be highly unlikely.

More than 100 000 voter files were changed before Maryland’s voter registration period closed at 9 p.m. ET on 15 October. “The board could not readily say how that number compared with similar periods before prior presidential elections, but they said it probably represented a significant increase,” the Washington Post reports.

Medical Devices Under Cyberattack

Panelists at an 11 October medical-device session at a meeting of the National Institute of Standards and Technology’s Information Security & Privacy Advisory Board noted that computerized hospital equipment is increasingly vulnerable to malware infections. "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems,” Kevin Fu, a leading expert on medical-device security who is a member of the board, told Technology Review. “There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches," Fu says. A Technology Review article reporting on the meeting quotes Fu providing a typical example:

“At Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufacturers will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews.”

Mark Olson, chief information security officer at Beth Israel, told the panel that these computers are infected with malware so frequently that one or two have to be taken offline each week to have the harmful software removed. Olson noted infections have stricken many kinds of equipment, from fetal monitors to $500 000 MRI machines. It’s a wonder that there have been no reports that someone died in a hospital bed with doctors and nurses completely unaware because a machine overwhelmed with malicious code was taking errant readings.

Newer, More Targeted Version of Flame Discovered

Security researchers at Kaspersky Lab reported this week that they have identified a new variant of the Flame malware used to conduct cyberespionage. The malicious code, called "miniFlame," creates a backdoor in machines that can then be used by attackers to get in and write files to, steal files from, or capture images of what appears on the display of the compromised computer. Kaspersky says that, similarities to Flame and Gauss aside, miniFlame has a different purpose. The Internet security firm estimates that Flame and Gauss have infected thousands of systems; miniFlame, on the other hand, has infected only a few dozen. "This indicates that [miniFlame] is a tool used for highly targeted attacks, and has probably been used only against very specific targets that have the greatest significance and pose the greatest interest to the attackers," Kaspersky Lab told TechNewsWorld. Kaspersky says it has yet to identify who has been targeted, but notes that the nature of miniFlame provides further evidence in support of its belief that Flame and Gauss were created by the same group.

Google’s New Defense Against Malware-Infected Apps

Online news site Android Police has reported that Google may be implementing a new malware scanner in its Google Play Android app store. The scanner has two functions. The first is an "App Check" service that scans a handset to ensure that none of the applications already installed on the device are harmful. The other part is what Android Police describes as a "doorman-style app blocker" that delivers a warning such as “Installing this app may harm your device” if the user is about to download software that has been flagged as suspicious. ZDNet is speculating that the malware blocker is the creation of VirusTotal, a firm that makes a free online malware scanning utility. Google acquired the company in September.

This week’s IT-related “ooftas” was a mixed bag, starting out with yesterday’s “fat-finger” mistake by R. R. Donnelley & Sons, the U.S. Securities and Exchange Commission (SEC) financial reporting filing agent for Google.  Donnelley accidentally filed Google’s quarterly report some three hours before NASDAQ stock exchange trading ended instead of after the exchange had closed, the New York Times reported.  Google’s report, which showed an unexpectedly large fall in earnings, led to a loss in Google’s stock price of nearly 8% by the end of the trading day. At one point, Google’s stock fell so much that trading on it was temporarily suspended.

Although Google’s market capitalization dropped by $22 billion at one point, with its stock price at about $695 per share, no one is worried about the company’s immediate future – in fact, some analysts are seeing the mistake as creating a buying opportunity, the Wall Street Journal noted.

Donnelley’s share price fell off a bit as a result of its mistake which it attributed to "human error", and there is some speculation about whether it will be sued by Google for the early disclosure.

Knight Capital announced mid-week a quarterly loss of $389.9 million as a result of a bigger than estimated loss on its zombie trading algorithm debacle in early August, Bloomberg News reported. Knight thought the 45-minute or so trading fiasco would result in it taking a $440 million hit; instead it resulted in a $457.6 million loss. Knight had to seek $400 million in financial help to stay solvent. It's stock has remained in the doldrums since the fiasco, trading at about $2.60 a share as compared to the $10.33 before.

Ford also announced mid-week a recall of 262 000 Ford Fiestas built in Mexico between 3 November 2009 to 21 September 2012 and sold in North and South America. According to CarScoop, Ford discovered that “the curtain air bag on the passenger side will not deploy in some crashes when the front passenger seat is empty, thus increasing the risk of injury to the right rear occupant in the event of a side impact collision.”

Ford says it will be reprogramming its Fiesta’s Restrain Control Module (pdf) to fix the problem. Some 154 000 of the vehicles were sold in the U.S.

And in a glitch from last weekend, a Frenchwoman claimed that she received a final telephone bill for €11 721 000 000 000 000.00 from Bouygues Telecom after closing her account. According to a BBC News account, the phone company initially told the woman when she inquired about the bill that “there was nothing they could do to amend the computer-generated statement and later offered to set up installments to pay off the bill.”

The phone company eventually admitted that she owed only €117.21, and that the mistaken bill was due to a printing error. They apologized and decided to waive the amount owed, apparently because of the unsympathetic customer service advice she received.

What kind of surprises me is that the printing software would allow for so many digits to be printed in the first place. Or is Bouygues Telecom just planning ahead for runaway euro inflation in the EU?

Automotive manufacturers have been testing out vehicle “drive-by-wire” systems for quite some time now. Spectrum’s Elizabeth Bretz, for instance, wrote about the technology way back in April 2001. However, for the most part, drive-by-wire has been taking the scenic route in going from “coming soon to a car near you” to standard vehicle technology. It may finally have the finishing line in sight.

Yesterday, Nissan announced that it was going to be introducing "steer-by-wire" in select Infiniti models next year, along with an autonomous emergency steering system sometime within the next three to five years. Nissan claims that its steer-by-wire system—an “independent control steering technology that controls tire and steering angles inputs independently”—is the first to be introduced in mass produced automobiles.

Nissan’s press release states that, “A conventional steering system directs tire movements by transmitting steering inputs to the tires via a mechanical link. Nissan's next-generation steering technology reads the driver's intentions from steering inputs and controls the vehicle's tire movements via electronic signals. This transmits the driver's intentions to the wheels even faster than a mechanical system and increases the direct driving performance feel by quickly and intelligently communicating road surface feedback to the driver.”

To help keep the automobile on track, Nissan is placing a camera in the rearview mirror which helps analyze “the road ahead, recognizes the lane direction, detects changes in the vehicle's direction, and transmits this information to multiple electronic control units as electronic signals. If a discrepancy occurs, the system acts to reduce the discrepancy by controlling the opposing force to the tire angle. By reducing the frequency of detailed steering input adjustments, which are a cause of fatigue on long drives, the driver's workload is greatly reduced.”

The system will have redundant electronic control units (ECUs) so that, “In the event a single ECU malfunctions, another ECU will instantly take control, and in extreme circumstances such as the power supply being disrupted, the backup clutch will act to connect the steering wheel and wheels mechanically, ensuring continued safe travel.”

A YouTube video on the steer-by-wire system (below) indicates that along with the camera system, there are a total of three ECUs that are managing the steer-by-wire system.

Nissan’s autonomous emergency steering system will use the information from “the front-mounted radar and camera, the two left and right rear radars, and … five laser scanners attached around the vehicle” to determine whether there are any collision risks that can’t be avoided by braking which need to be mitigated. Furthermore, the system simultaneously checks to determine whether “there is a forward zone free of obstacles and that there are no vehicles approaching from the rear, and then displays to the driver the direction that the vehicle should be steered. If the driver cannot immediately steer in that direction, the system takes over to automatically steer the vehicle to help avoid a collision.”

Nissan has published a more detailed paper (pdf) of how the system works, as well as another video that shows the system in action on a test track.

It is hard to tell how much information is being used from Nissan’s “all around view” technology that utilizes 4 super-wide angle cameras to give a driver better situational awareness when parking or backing up, but I assume that some of it is being used in the autonomous emergency system above. Anyone have more insight into this?

In addition, anyone know what happens with the steer-by-wire system when the camera input is blocked, say by heavy, wet snow on the windshield? Or do Nissan windshields have cleaning technology to always keep that area clear, regardless of weather or other debris (like bird droppings) ending up there?

I'm also curious about projected repair costs for the steer-by-wire system compared to the mechanical system it is replacing. Again, anyone have a clue on the cost comparison?

Illustration: Delphi Automotive Systems Corp.

A friend of mine, Jim Ericson, who is the editorial director for Information Management magazine, wrote a wry piece a few weeks ago titled, “Google and Other Stalkers.” It described his “split existence": a highly visible life online as a writer about IT issues; and another, as private citizen, that he is trying to maintain. The latter, he says, is becoming less private every day as the Internet—and the data tracking it allows—expands to just about every device he interacts with on a daily basis.  Many of us can relate to Jim’s quandary.

As Jim writes, “In real life I am employed to learn and report on several topics of data and information management. My private life, equally real, is my own business - though the gods of algorithms keep trying to help me out with that… At the risk of stating the obvious, I’ll start by blaming Google’s AdSense and other online services that follow you around like needful pets. I like pets, just not everywhere I go.”

And, according to a story last week in the New York Times, online advertisers are working overtime to ensure that your “needful pets” will always be by your side offering you a wide range of targeted advertising, whether you want them under foot or not. The Times story outlines the aggressive campaign launched last month by advertising industry groups such as the Association of National Advertisers, Digital Advertising Alliance, and the Direct Marketing Association, which are trying hard to defang the “do not track” movement which is intended to give consumers increased control over who can track them online and what data the trackers are able to acquire.

The industry trade groups contend that the decision of browser providers like Microsoft and Mozilla to default browser settings to “do not track” instead of forcing consumers to deliberately select the “do not track” option, will destroy the Internet as we know it. For instance, the Association of National Advertisers (ANA) sent an open letter to Microsoft a few weeks ago condemning its decision to make “do not track” the default setting in Internet Explorer 10. The over-wrought letter makes for entertaining reading.

In the letter, the ANA states that Microsoft’s move will “undercut the effectiveness of our members’ advertising and, as a result, drastically damage the online experience by reducing the Internet content and offerings that such advertising supports. This result will harm consumers, hurt competition, and undermine American innovation and leadership in the Internet economy.”

Microsoft’s action, the letter goes on to state, “has been uniformly met with outrage, opposition, and declarations that Microsoft’s action is wrong. The entire media ecosystem has condemned this action.”

Further, “Microsoft’s Internet Explorer Browser currently has a 43 percent market share in the United States. By setting the Internet Explorer browser to block data collection, Microsoft’s action could potentially eliminate the ability to collect web viewing data of up to 43 percent of the browsers used by Americans.”

The ANA claims that without this information, consumers would have to start paying for content that they now get for free, which would “significantly reduce the diversity of Internet offerings and potentially cheat society of the robust offerings that are currently available.”

Elsewhere, the Direct Marketing Association says, in support of tracking users online, that, “Consumers love getting what they want—information, products, benefits, upgrades—when they want it… There is no evidence that data-driven marketing harms consumers in any way.”

The ANA letter was signed by a host of companies, including Adobe, Allstate Insurance, American Express, AT&T, Bank of America, Coca-Cola, ConAgra Foods, Dell, IBM, Intel, Fidelity Investments, Ford, GE, General Mills, GM, Johnson & Johnson, Kellogg, Liberty Mutual, McDonald's, MillerCoors, Motorola, Nestlé USA, PulteGroup, Procter & Gamble, Siemens, Subway, Toyota, Unilever, Verizon, VISA and WalMart.

It’s very nice of the ANA to point out the companies who think that information about your Web viewing habits is rightfully theirs. Especially since the ANA and other industry groups are now saying that “it would not require members to honor the forthcoming [Microsoft] browser’s don’t-track-me signals.”

That decision will no doubt go over well with users of IE 10 who really don’t want to be tracked. Somehow I don't think those folks are going to be blaming Microsoft for violating their do not track wishes.

It should be said that websites currently have no legal obligation to honor browser do not track requests. The European Union, however, is thinking hard about changing that situation, at least for EU residents. Right now, EU companies with an online presence need to get user consent to install cookies. It isn't much of a leap to require do-not-track requests be honored.

What the advertising industry says it wants in exchange for them voluntary honoring users' do-not-track requests, the Times reports, is for online users to have to choose to set their browsers to “do not track” as well as a requirement that when they do change their browser to that setting, they automatically get a warning message telling about “the potential effects of eschewing tailored ads.” In effect, it wants a pet that follows you around the Internet that constantly barks at you whenever you don’t feed it your browsing data.

Of course, if the members ANA and other advertising industry groups are truly serious, they should state unequivocally that they will completely abandon all advertising on the Internet if Microsoft's and other browsers insist on making do not track the default setting.

I can hardly wait for that announcement.

Security or Censorship?

Despite universal agreement that cybercrime is becoming a scourge to Internet users, observers looked on with great apprehension when the Philippines introduced a new anti-cybercrime law last month that makes online libel a criminal offense and blocks access to websites the government says are in violation of the statute. After criticism from journalists and civil rights groups who predicted that the law would be used by politicians to prevent dissent, the Philippine Supreme Court on 9 October issued a temporary restraining order stopping the government from enforcing the law for at least 120 days. The order also gave the government 10 days to respond to several petitions seeking to have the law declared unconstitutional. In a petition filed by the National Union of Journalists of the Philippines, the group said the law would "set back decades of struggle against the darkness of 'constitutional dictatorship' and replace it with 'cyber authoritarianism.'"

Internet Users Not Particularly Careful

According to a survey by the National Cyber Security Alliance (NCSA) and Internet security firm McAfee, 17 percent of U.S. residents say they have been victims of some form of crime committed via the Internet. And while nearly half of respondents said that they regularly access the Internet via smartphones, 64 percent admit that they have never installed security software (links to pdfs) or apps on their devices in order to make them more secure from viruses or other malware. Half of those surveyed said they are allowed to use a personal tablet, smartphone, or laptop to carry out their daily job functions. The report also notes that nearly half of respondents said that their companies don’t have an established Internet security policy or formal training. The survey results don’t include any information on how much of an overlap there is between the half of respondents that are allowed to use their personal devices and the half that haven’t been coached on how to keep their (and by extension their companies’) data out of the hands of cyberthieves.  Here’s hoping that it’s minuscule. Michael Kaiser, executive director of the NCSA, told the Sacramento Bee that, “This data supports an ever-increasing need for online users to be vigilant in their actions each day.  Working together, we can provide Americans with the tools and information they need to practice safe online behaviors during October [which is National Cyber Security Awareness Month] and throughout the year.”

Beware Browsers Blabbing

According to the UK Register, Mozilla alerted Web surfers on 10 October that the latest version of its Firefox Web browser, released a day earlier, contained a vulnerability that allowed a cybercriminal hosting a malicious website to view a user's browsing history. In a security warning posted by Mozilla security chief Michael Coates, he assured Firefox users that there had been no reports of anyone exploiting the flaw in Firefox 16 and that a patch was being made ready as quickly as possible. An updated version that sews up the security hole was released on Oct 11.

Cyberthieves Taking Out “College Loans”

Last week, we reported on this blog that dozens of universities had been the victims of cyber break-ins by a group that posted the personal data of thousands of students, faculty, and administrators online. Now, a Security Week article reports that a group of hackers have breached a server at Northwest Florida State College that contains nearly 300 000 records. They include information about nearly 77 000 current and former students, 3200 school employees, 200 000 Florida students identified as Bright Future scholars. What’s a cyberattack at one school compared with a multipronged one affecting more than 50, you ask? Security Week reports that, according to the school’s president, the information gleaned from this breach has already been used to commit at least 50 acts of identity theft. The school told Security Week that among the exploits pulled off using the data was a scheme to borrow money from two Canadian payday lenders using school employees’ information. The loans were set up so that the proceeds went to the thieves but would be repaid from the employees’ bank accounts.

The eight articles that the New York Times published this week in a special Science series on health information technology called “The Digital Doctor” covered everything from advances in imaging technology to the psychological impacts of a wired society. The articles are well worth a read.

One story, on the “ups and downs” of electronic health records (EHRs), examined doctors' and nurses' experiences as EHRs become more wide-spread because of the U.S. government’s multi-billion dollar EHR adoption incentive program. What I found interesting in the Times story was the admission by some of the fiercest advocates for EHRs, like Dr. David Brailer, the first national coordinator for health information technology, that, “The current information tools are still difficult to set up. They are hard to use. They fit only parts of what doctors do, and not the rest.”

Or, as one doctor put it, "Like so many other things in health care, the amount of [EHR] accomplishment is well short of the amount of cheerleading."

Brailer is still a strong advocate who believes EHR benefits far outweigh all the costs and risks involved. He claims that the problems now being experienced will quickly disappear over the next decade as “most of the clunky first-generation tools” will be replaced. Of course, the U.S. government's EHR incentive program will be long over by then, and doctors and especially hospitals, which are spending millions of dollars on their current EHR systems, are going to be stuck with the costs of converting to “Generation-2” EHR systems.  My guess is that many hospitals and doctors’ offices won’t upgrade until they absolutely, positively have to do so. Just look at the banking industry and its ever-aging IT systems.

The New York Times article reflects a lot of the debate—and confusion—surrounding the true value of EHRs taking place in the health community. For example, last week the Bipartisan Policy Center released results of a recent survey of some 500 doctors indicating that a “majority of physicians [surveyed] agree that the exchange of health information via electronic health record will improve the quality of care they provide to their patients, especially before and after transitions of care,” says an article at EHR Intelligence.  Over 70 percent of doctors in the survey note that the lack of EHR interoperability is a major barrier to patient care. As result of the survey, the Bipartisan Policy Center is calling for the government to increase the incentives to accelerate EHR adoption and their interoperability.

On the other hand, as reported by iHealthBeat, a recently released Physicians Foundation survey of more than 13 000 doctors found that while 33 percent said that their EHR system has improved care quality, 19 percent indicated that they had not, and that they do not anticipate it to do so. Another 13 percent of the doctors survey expect their EHR systems to eventually improved care quality, while yet another 13 percent report that EHRs have had no effect on care quality. Finally, some 10 percent of the doctors surveyed also indicated that their EHR system has decreased care quality and that they do not expect the situation to improve with time.

Of course, in both these surveys, it is impossible to tell what portion of the problems (or benefits) are related to the individual EHR systems themselves as opposed to other factors, such as staff training. I don’t know of any large-scale “apples to apples” comparison of different EHR systems to really understand the benefits, problems, risk or cost issues involved.

Until that happens, expect more dueling EHR surveys, and more arguments over whether EHRs increase or decrease medical costs.

An intriguing Auto Week story last week caught my attention involving a software problem in the new "GT-86" sports coupe that Toyota and Subaru jointly developed. According to the story, owners of the new 2013 Toyota Scion FR-S and its twin the Subaru BRZ have been complaining about rough idling and stalling conditions affecting their new cars. Both Toyota and Subaru say that the problems are not related to a mechanical defect but instead are related to a software “bug” related to the engine control unit (ECU).

Auto Week reports that a Toyota spokesperson told them that “when the engine control unit ... is installed, it adapts to the car's powertrain and owner's driving patterns, a process known as adaptive learning. Within 160 kilometers, those settings are basically frozen in the ECU.”

The spokesperson went on to state that the software that “allows the ECU to establish a ‘handshake’ with the engine is in error. The ECU monitors certain driving conditions, and when the engine is found to be out of tolerance, the software picks up an anomaly. When this happens, the ECU triggers a fault code. As the ECU tries to find an optimal driving condition outside its prescribed tolerances, a rough idle or stalling situation ensues. Typically, the check engine light illuminates and a fault code of P0019 shows up on diagnostic readers.”

Okay, sounds like incomplete ECU requirements definition and faulty testing scenarios may be the problem here, which, given that it is a new model sports car, is not entirely surprising.

What is a bit strange is the next part of the story. According to Auto Week, Toyota is saying that if the Scion FR-S has less than 160 km on it, it’s recommendation is that a technician reflash the ECU with new software. However, if the car’s mileage is more than 160 km, Toyota recommends the ECU be replaced.

However, Auto Week reports that Sabaru told it that the issue is “not a mileage dependent issue,” and that all that needs to be done is for the ECU to be reflashed, not replaced.

They are identical car engine electronics, aren't they?

And isn't 160 km of driving a rather small sample set for a sports car? I know whenever I bought a sports car, the first 160 km wasn't anything like the next 160.

Auto Week goes on to report that many owners of the new sports coupe have already had their ECUs reflashed or replaced, yet the rough idle and stalling conditions have not gone away: only now new fault codes apparently show up.

Makes you wonder which company is responsible for the ECU software, and whether there are other software bugs lurking about in the ECU code that testing haven't found. I’ll let you know whether anything new turns up.

I wonder if Alaska Air Group's enterprise risk management team had this risk on their watch list.

At 0730 Pacific Time yesterday, Alaska Airlines (and its sister carrier Horizon Air) started experiencing what it termed at the time to be a “software outage” that brought down its SABRE reservation system, forcing the airline to go in to manual operation mode. As you can expect, chaos soon took hold at its check-in desks.

It took a bit of time for Alaska and SABRE to discover that it wasn’t a software issue at all but a network connectivity-related one: a Sprint fiber-optic network cable was accidentally cut during maintenance work being performed on a railroad track someplace between Chicago and Milwaukee. 

The severed Sprint cable also affected other airline users of SABRE, including American, Frontier and Southwest Airlines. However, after about 45 minutes, these airlines were able to once again access SABRE as reservation and other passenger data was automatically rerouted over another portion of Sprint’s network.  Few flight disruptions were reported by these airlines because of the outage.

Unfortunately for Alaska Air, another Sprint fiber-optic cable, this one an aerial cable located somewhere between Portland, Oregon and Tacoma, Washington was mysteriously cut as well yesterday morning Pacific time. This second severed cable happened to be the one that was supposed to reestablish communications between Alaska Airlines and the SABRE system. Alaska Airlines and SABRE were unable to communicate for over five hours until Sprint finally got the first cable cut repaired.

Alaska and Horizon Air ended up having to cancel 78 flights, affecting nearly 7000 passengers in the process. Thousands more passengers were inconvenienced, as their flights were delayed up to four hours. In addition, an untold number of Sprint customers in California, Oregon, Minnesota, and Washington also lost service for several hours because of the cable cuts.

As of this morning, Sprint still hasn’t explained the reason for the second cable cut. Yesterday, Sprint said it could not rule out sabotage.

I would be happy to hear from someone who specializes in network reliability analysis who can tell me the odds of Alaska Airlines losing connectivity with SABRE by having these two exact cables being accidentally severed at nearly the same time.

Scareware Crackdown

Who hasn’t been busy on their computer and received an e-mail or pop-up window in the Internet browser warning that their computer has been compromised and that it is imperative to contact a certain company to rid the machine of harmful viruses? That type of scam, called scareware, has become a major focus of the U.S. Federal Trade Commission (FTC). On 3 September, the FTC reported that it has taken a leading role in investigating reports of consumers being defrauded by scammers who convince them to turn over control of their computers—ostensibly to fix them—only to extort sometimes hundreds of dollars for unnecessary repairs. The announcement came the day after a U.S. court levied a total of $163 million in fines against several scareware distributors found guilty of tricking more than a million computer users into believing that their machines were riddled with malware.

Nate Anderson, an Ars Technica editor, details a textbook example of the ruse in an article based on his conversation with a scammer who insisted he was calling from the clearly fictional ‘Windows Technical Support.’ “My computer, he told me, had alerted him that it was infested with viruses,” Anderson wrote. “He wanted to show me the problem—then charge me to fix it.” The only problem, Anderson explained in the article, was that he isn’t a Windows computer user. So it was clear from the outset that the offer of assistance was a setup. Unfortunately, so many others fall for these come-ons.

DHS Cries Wolf

To what can we attribute the U.S. Department of Homeland Security’s spreading of false claims that Russian hackers had broken into an Illinois water district’s SCADA system and sabotaged a water pump? This after DHS had taken to task a regional fusion center (where federal, state, and local law enforcement agencies share and analyze information) for causing needless panic with the same information. A Wired article reports that a U.S. Senate subcommittee investigation has revealed that the agency pushed the false information in reports to Congress and the intelligence community even after the FBI and other investigative agencies had debunked the story. Worse, says the congressional report, which was released on 2 October, is that DHS never did get around to retracting its claims. The department’s excuse? “[The unsubstantiated claims did] exactly what [they were] supposed to do – generate interest,” DHS officials told Senate investigators. But interest in what exactly?

SchoolofCompromisedComputerSystems.edu

The New York Times reports that on 1 September, a group of hackers calling themselves Team GhostShell posted thousands of purloined personal records from 53 universities around the world, including Harvard, Stanford, Cornell, and the University of Zurich. The data includes the names, usernames, passwords, addresses and phone numbers of students, faculty and staff at the schools. Though most of the data was already publicly available, some sensitive information such as university employees’ payroll information was in the mix. The hackers, who published the material on Pastebin.com, insist that their actions were not motivated by profit but to “raise awareness towards the changes made in today’s education.” The group, which took the opportunity to lodge a complaint about changes in Europe’s education laws and rising tuition in the United States, noted that they were not the first to break into a goodly portion of the servers they breached. “When we got there, we found that a lot of them have malware injected,” the hackers wrote on Pastebin.

In what seems to be turning into a weekly event, reports are coming out of India today that 59 erroneous trades caused the National Stock Exchange (NSE) Nifty index to plunge over 800 points in a few minutes, wiping out some $58 billion in value from the fourth largest market in Asia, Bloomberg News reported. Trading was suspended for about 15 minutes this morning until the erroneous trades could be straightened out.

According to an Indian Express story that quoted from an NSE statement, a trader at Emkay Global Financial Services Ltd entered “59 erroneous orders which resulted in multiple trades for an aggregate value of over Rs 650 crore [about US $126 million]… These non-algo market orders have been entered for an erroneous quantity which resulted in executing trades at multiple price points across the entire order book thereby causing the [market] circuit filter to be triggered.”

Emkay was able to unravel the trades, and close out its position, the Express story stated. Its trading on the NSE was also disabled; Emkay’s own stock took a beating once the NSE resumed trading, dropping 10 percent, at which point trading in its stock was suspended.

Earlier this week, the NASDAQ had its own trading uffda, but this time caused by yet another trading algorithm gone wild. As told by the Wall Street Journal, some twenty seconds after the NASDAQ opened on Wednesday at 0930, “sales in Kraft's shares bounced back and forth between levels that were more than $7 apart, without hitting any prices in between. That gulf, known as the ‘bid-ask spread,’ was far wider than those typically seen in stocks like Kraft.” This all occurred in a span of 5 seconds, which, as the WSJ stated, is “a long stretch in a largely electronic market dominated by computers that measure trading times in millionths of a second.”

A story in the Financial Times of London reported that the NASDAQ determined within an hour that the trades were clearly erroneous and cancelled them. The trades also affected other exchanges, including NYSE Arca, Direct Edge, and BATS, which all agreed to cancel the trades.

The FT cited Eric Hunsader, chief executive of Nanex, a market data company as saying “the problem appeared to be an algorithm that was trying to buy 30,000 shares in Kraft but did not want to skew the market by buying them all at once. ‘The trades were spread out by milliseconds and look to have executed at 11 different trading venues.’ ”

The NASDAQ has declined to name the trading company involved or what action it is taking as a result. The most it would say that the exchange system worked as designed.

In a bit of irony, on Tuesday, the U.S. Security and Exchange Commission (SEC) hosted an industry-government roundtable of leading equity market participants to discuss the recent spate of high-frequency trading glitches. SEC Chairman Mary L. Schapiro said that so far, investigations in the glitches show that they are the result of “basic technology 101 issues.” Schapiro implied in her remarks aimed at industry that if these glitches continue and cause “collateral damage to investors and their confidence in the integrity and stability of our markets,” the SEC will take action that the exchanges and equity market participants won’t likely enjoy. 

There was no comment by Schapiro on the Kraft trading glitch the day after her not so subtle warning to industry to get things sorted.