Risk Factor iconRisk Factor

This Week in Cybercrime: Black Hat USA 2013 Uncovers a Bevy of Exploits

Spy Chief Addresses Hacker Nation

The highlight of this week in cybercrime was the Black Hat USA 2013 conference that took place in Las Vegas. Though dozens of cybersecurity researchers showed up to alert the world to the wide-ranging vulnerabilities that could be exploited by cybercriminals, the top story was the appearance of Gen. Keith Alexander, director of the National Security Agency and chief of U.S. Cyber Command. Alexander was booked to deliver the gathering’s opening keynote address well before Edward Snowden’s revelation’s about the NSA’s PRISM program for collecting phone call metadata. So there was much speculation about whether Alexander would show up, whether he should, and what type of reception he would receive. In video of the talk, recorded by Kaspersky Lab’s Threatpost, the audience,

“was initially cordial and attentive, but soon turned somewhat restive and hostile. While Alexander defended the NSA’s intelligence-gathering efforts and provided examples of how they had led to the disruption of terror attacks in recent years, some people in the audience were uninterested and shouted criticisms and accusations at him.”

What a nice way to get the party started.

Read More

Pennsylvania Won’t Renew IBM's Contract for Botched Project

Pennsylvania’s Labor and Industry Secretary Julia Hearthway announced Wednesday that the state has decided not to renew its contract with IBM to modernize the state’s 40-year-old unemployment compensation computer system. According to an AP report, the contract, which was awarded in 2006 and is set to expire in 2013, is currently 42 months late and over $60 million above its original contract amount of $106.9 million.

IBM's Fred Brooks once famously wrote in his 1975 groundbreaking IT project management book The Mythical Man-Month that IT projects become a year late one day at a time. Of course, Brooks meant it as a warning, not as a goal, something that Brooks may want to explain to his old company.

The state decided to end the contract after a US$800 000 assessment of the effort by the Software Engineering Institute (SEI) indicated that the critical objective of the modernization effort, namely a demonstrated “capability to reliably, consistently, and accurately process unemployment claims, calculate payments, and enable payment to eligible citizens who are out of work” doesn’t yet exist, and apparently, there is no agreement when, if ever, such a capability will ever exist.

Read More

Researchers Hack Into Car Immobilizers, But Can’t Say How They Did It

Where do you draw the line between deciding what people need to know and what should be kept out of the wrong hands? It’s never been easy. The Guardian broke a story about three computer scientists who tried to publish a paper analyzing a faulty algorithm that could let criminals steal cars—that is, before the English High Court of Justice stepped in and issued a provisional ban.

Flavio Garcia, a University of Birmingham computer science lecturer, decoded the algorithm that allows the engine immobilizer to verify the authenticity of a car key. He had hoped to publish his findings in a paper called “Decoding Megamos Crypto: Wirelessly Lock-picking a Vehicle Immobilizer,” at a Usenix Security Symposium next month in Washington, D.C. But Volkswagen and the creators of the algorithm, the French security company Thales, were none too happy about this.  

Megamos Crypto is a system that uses RFID (radio-frequency identification) to disable a feature that prevents the engine from starting. The crypto algorithm sends a signal from the car key to the engine immobilizer.

Read More

IT Hiccups of the Week: Ohio Bank Blames GPS for Wrong House Repossession

It has been another busy week in the land of IT-related snarls, malfunctions and snafus. We start off this week’s edition with a bank which blamed a house repossession error on bad GPS coordinates.

Bank Repo Crew Repossesses Wrong House

Katie Barnett of McArthur, Ohio, returned to her house after a two week vacation to find that the locks on her doors had been changed. Fearing that a squatter had tried to take over her home while she was away, Barnett broke in only to find that all her possessions were gone, says a story in the Daily Mail.

What Barnett soon found out was that a repo crew sent by First National Bank of Wellston, Ohio, had mistaken her house for the bank-owned home across the street, even though her house number is 514 and the one across the street is numbered 509.

According to an ABC News story, the bank’s president and CEO Anthony Thorne put out a statement (pdf) on the bank's website that blamed the problem on a GPS error. Thorne’s statement says that the GPS locator led the bank's “representatives” to the “wrong home, which was located on the same street as the target property (we have since retraced their route using the same GPS, and it again took us to the same wrong location).”

The representatives, Thorne claims, “noted that the grass was overgrown, the door was unlocked, and the utilities had been turned off. The home was also nearly empty, with two dressers being the only furniture inside the premises, and a neighbor indicated that the home had been vacant for some time.” So they apparently assumed that even though the house number was wrong, they were at the right place.

Thorne stated, “This situation was a mistake on the part of our bank and—as we have done previously—we sincerely apologize to the homeowner for the inconvenience and concern it may have caused. In addition, we communicated to the homeowner our desire to compensate her fairly and equitably for her inconvenience and loss.”

There seems to be a disagreement, however, over the amount of compensation owed. Barnett provided the bank with an itemized list of what she claimed was lost, which she said amounted to US $18 000 of personal property. However, the bank disagrees that the two dressers and other personal property it says its representatives discovered in the house were worth that much. The bank wants Barnett to come up with receipts for what she claims the representatives removed, and then the bank will decide how much to pay based on a fair market valuation. Exactly how Barnett is supposed to come up receipts that would be likely be in the “trash” that the bank’s representatives admittedly threw out wasn’t explained by the bank in it's statement.

Barnett is now planning a lawsuit against the bank.

Technology, Equipment Problems Blamed for 1 in 4 Surgical Errors

The prospect of undergoing a surgical procedure is always likely to cause anxiety. A research study published last week in the UK journal BMJ Quality & Safety will probably only make going under the knife even more anxiety inducing. According to the study of surgical technology and operating-room safety failures, nearly one-quarter (23.5 percent) of all surgical suite errors can be attributed to “failures of equipment/technology.”

The research study, which examined published studies on surgical safety failures, discovered that “an average of 2.4 errors was recorded for each procedure, although this figure rose to 15.5 when an independent observer recorded the errors,” a story at Science Daily noted.

Of the failures categorized as being related to equipment issues, 37 percent were attributed to equipment availability, 44 percent to problems with equipment configurations and setting, and 33 percent to device malfunctions. It is unclear how many device malfunctions are the direct result of software problems, or if equipment issues also involve operator error—which has been a concern recently with robotic surgery.

A story at LiveScience indicated that medical errors affect around 15 percent of patients, with half of these resulting in adverse events. Not surprisingly, LiveScience noted that the BMJ Quality & Safety study found “operations that rely heavily on technology, such as heart surgeries, had higher rates of equipment problems than did general surgeries.”

Using pre-operative checklists, standardizing the use of briefing tools, and improving staff training reduced error rates by half, the study found.

In addition, a blog post in the New York Times last week reported on another interesting research study (pdf) to be published in next month’s issue of the Mayo Clinic Proceedings; the paper found that “more than 40 percent of established practices studied were found to be ineffective or harmful, 38 percent beneficial, and the remaining 22 percent unknown.”

I can hardly wait until the BMJ Quality & Safety and Mayo Clinic Proceedings studies are compared to see how many equipment/technology surgical safety errors happen in conjunction with ineffective or harmful medical procedures.

Gold’s Gym Customers Hit By Billing Error

While not as traumatic as having your house repossessed, some customers of a Gold’s Gym in Palm Springs, Calif., were less than amused when they found out that a “computer glitch” in the electronic billing system the gym uses charged “thousands of dollars” to their credit card accounts early last week, a story at the Desert Sun reported. According to the Sun’s story, numerous members found they were charged anywhere from US $1500 to $7000 for their monthly membership fees. As a result, many of those gym members found their credit cards and for some, their bank accounts, reportedly overdrawn.

The software error, which originated at third-party Ohio-based credit card billing company Vanitiv, was rectified within a day. Vantiv said no money actually was charged; only a “preauthorization” charge (a hold) was put on the credit cards. Of course, the effect for the cardholder when trying to access his or her money is basically the same. Gold’s Gym says it will refund any bank fees incurred by customers due to the error.

Gold’s Gym wasn’t the only gym hit by Vantiv’s error. According to a story at television station WRAL in Raleigh, N.C., some members of Fitness Connections in that city discovered that credit and debit cards with which they paid their monthly fees had been hit with “preauthorization” charges in the thousands of dollars. The WRAL story says the problem was caused by Vantiv’s billing system dropping a decimal point which turned a US $29.90 monthly membership charge into a $2990 one instead.

Fitness Connection said it would also refund any customer bank fees incurred as a result.

Also of Interest…

New York City’s Emergency 911 System Again Crashes Multiple Times

Las Vegas' McCarran International Airport Network Crashes, Severely Delaying Passenger Check-in

Arizona Motor Vehicle Department Sees Uptick in Computer Problems

New Jersey Motor Vehicle Commission Suffers Computer Problems for Second Time in a Week

"X Factor New Zealand" Fans Outraged at Voting Problems

Lincoln City, Oregon Sends Out Incorrect Water Bills

Louisiana Department of Revenue Sends Out Erroneous Tax Notices

Image: iStockphoto

This Week in Cybercrime: Online Bank Heists Just the Latest in a Long String

Late last month, I began an edition of This Week in Cybercrime by noting that, “The idea that cybercrimes are the work of miscreants or gangs of hackers picking targets at random is outmoded. Analysts now see a mature industry with an underground economy based on the development and distribution of ever more sophisticated tools for theft or wreaking havoc.” That updated thinking was backed up by a report released a few days earlier by researchers at 41st Parameter, a fraud detection and prevention firm.

Further reinforcement came this week when U.S. federal prosecutors filed charges against five people for orchestrating what is said to be the largest hacking/data breach/bank robbery case ever reported. “The defendants and their co-conspirators penetrated the secure computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, and stole the personal identifying information of others, such as user names and passwords,” prosecutors said. The crew of cybercrooks netted at least 160 million credit and debit card numbers. Let that number sink in for a second.

The estimated financial losses stemming from the thefts reach into the hundreds of millions of dollars.

Of the five defendants—Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, and Dmitriy Smilianets of Russia, and Mikhail Rytikov of Ukraine—only two, Drinkman and Smilianets, are in custody. The other three are on the run, which is unfortunate, because Kalinin has been prolific in his efforts to pick financial institutions clean. According to the prosecutors, from December 2005 through November 2008, Kalinin and a separate co-conspirator hacked into Citibank and PNC Bank computer systems and stole account information they subsequently used to withdraw millions of dollars from victims’ bank accounts.

For example, in January 2006, they launched a cyberattack on PNC Bank’s online banking site and walked away with hundreds of the personal identification numbers associated customers’ ATM cards. Kalinin’s partner in crime turned the data over to associates who used it to encode blank ATM cards and withdraw $1.3 million from victims’ accounts. In 2007, Kalinin repeated the feat, that time going after the network of a firm that processed ATM transactions for Citibank and other banks. He stole PINs for half a million bank accounts, including those of 100 000 Citibank customers. He and his co-conspirators used the spoofed ATM cards they created to rob Citibank—in broad daylight, without guns or masks—to the tune of $2.9 million. A year later, Citbank was again in the online bank robbers’ crosshairs. Amid a cyberattack against the bank’s website, they stole 300 000 account holders’ information. This time the haul from faked ATM cards was $3.6 million.

In a separate case, for which Kalinin was also charged on Thursday, prosecutors allege that between 2007 and the fall of 2010, malware he placed on servers used by the Nasdaq financial exchange allowed him to incrementally elevate his level of administrative access until the point, in January 2008, that he had unfettered control. He marked the occasion with a jubilant instant message: "NASDAQ is owned." The government alleges that the 26-year-old native of St. Petersburg, Russia, got his foot into the door of Nasdaq's systems when he noticed a small vulnerability on its website.

Prosecutors named 16 separate corporate victims of the Russian and Ukrainian cyberthieves’ reign of terror. Most of the damage was done in breaches of systems at: Heartland Payment Systems Inc., a credit and debit card payment processor that had 130 million card numbers stolen from its databases; Commidea Ltd., a European electronic payment processor for retailers, that had 30 million card numbers stolen; and Euronet, a Leawood, Kansas–based electronic payment processor that lost roughly 2 million card numbers to malware. Other notable names that were targeted include Visa, Discover, Dow Jones, and J.C. Penney.

The alarm with which the gang of five’s activities was reported is itself startling. It’s not as if a certain blog doesn’t update readers on what happens each week in the world of cybercrime. And it’s not as if, in 2013 alone, This Week in Cybercrime hasn’t highlighted several other techno bank robberies, in the process making it clear that financial institutions are increasingly vulnerable.

In May, for example, we reported that seven people were arrested for coordinating 40 000 fraudulent cash machine withdrawals in 27 countries (with a total haul of $45 million) within hours after they hacked into the servers of credit card processors in the United Arab Emirates and Oman. And in June, we noted that U.S. prosecutors charged a gang of Ukranian cyberthieves with stealing account information from 15 different payment processors, banks, and online brokers and using it to transfer funds to prepaid debit cards. After the transfers, they would subsequently have roving teams of “cashers” hit ATMs to withdraw cash or make purchases with the ill-gotten loot.

The banks should do a better job at securing their networks, you say? That may not be possible, says a report from the FireEye Malware Intelligence Lab, that we discussed back in April. The report, on advanced persistent threats [pdf], found that some companies (banks fit the description) have to fend off attacks as often as once every three minutes. It’s not realistic to expect them to stand up to the growing volume and increasing sophistication of digital assaults. "This nearly continuous rate of attacks and activities is indicative of a fundamental reality: these attacks are working, yielding dividends," said the report. An Ars Technica article describing the Nasdaq hack notes that,

"The indictments give a birds' eye view of the patience and meticulousness hackers employ when penetrating some of the world's most well-fortified networks."

Photo: Tim Robberts/Getty Images

IT Hiccups of the Week: U.S. State Government IT System Meltdowns Galore

After a couple of quiet weeks, IT related snafus, snarls and ooftas reappeared with a vengeance last week. We start off with several U.S. state governments’ IT systems that have had better weeks.

Oregon, New Mexico, Kansas, North Carolina, New Jersey and Iowa Experience IT Problems

Last Monday evening at 7 p.m. Pacific time, government contractor Hitachi initiated a planned hardware upgrade to add storage capacity to Oregon’s State Data Center (SDC) computer systems located in Salem, Ore. The work, according to Matt Shelby, spokesman for the Department of Administrative Services, “was not supposed to cause any disruptions,” a story at the Oregonian reported. However, Shelby told the paper, “During the course of that work, a catastrophic failure and major connectivity issues arose.”

As a result, 90 state agencies were unable to connect with the data center and thus to each other. The outage knocked out a range of services including Oregon’s Department of Transportation TripCheck road cameras, government e-mail and websites, and the processing of some 70 000 state unemployment checks. The hardware problem was fixed Tuesday morning, and state services were restored by midday Tuesday. 

Next, New Mexico continues to have trouble with its new unemployment computer system as well, an AP story from last week reports. An audit (pdf) of the $48 million system—which was originally supposed to cost half that—was released last week by the state's Legislative Finance Committee. The report stated that the new system, which went into operation in January, “is complex and can be difficult for users to navigate.” According to the AP story, businesses and individuals who've used the system say that the phrase “can be difficult” should be changed to “is exceedingly difficult”—so much so that a New Mexico state senator said that the state should consider going “straight back to paper because the system doesn’t work.”

The head of the state agency responsible for the system, Workforce Solutions Secretary Celina Bussey, told the AP that she considers the unemployment system implementation a success, but concedes that maybe the system interface could be more user-friendly. That may be a bit of an understatement: for example, it previously took unemployed workers 15-minutes to make a claim; now, with the new system, it takes up to an hour, the audit reported. Unemployed workers calling the state's help lines with their applications face long telephone wait times as well, the audit states.

In addition, the audit reports that the unemployment system suffers from “data conversion defects, limited application testing and the lack of a contingency and disaster recovery plan,” the latter of which it says creates “conditions of risk.” In other words, don't be surprised if the new unemployment system suddenly keels over.

Moving on to Wichita, Kansas, where television station KWCH reported last week that the unemployment system in Kansas has been having problems of its own. According to the story, the Kansas Department of Labor “was upgrading its servers when it discovered a software problem” that caused a delay in the issuing of an unknown number of unemployment checks for over a week.  On top of not being able to tell how many Kansans were affected by the software problem, the Department of Labor didn't offer an explanation on why it kept the information about the problem quiet until the television station made inquiries about it.

North Carolina got a double dose of government IT system problems last week. First, the state’s new family assistance system NC FAST (North Carolina Families Accessing Services through Technology) reportedly experienced difficulties, according to a story Fox News Channel WGHP in Highpoint, North Carolina. The story reported that, “several Department of Social Services [offices] across the state [were] reporting glitches” that were keeping families from receiving food stamps. The state said it was trying to determine what was causing the problems and fix them.

North Carolina also continued to have problems with its new, expensive and controversial computerized Medicaid billing system NCTracks, which went live on 1 July. Some businesses have been claiming the new system has been a nightmare to deal with. I'll be writing more about the issues with NCTracks later this week.

Then on Friday, the New Jersey Motor Vehicle Commission’s computer system was offline for the entire day. According to a story at the New Jersey Journal, a “fire alarm was activated at one of the state’s data centers, causing the state’s website, including the MVC division, to shut down automatically” at about 2 a.m. Friday morning. While data center technicians were able to get most other state agencies back online by mid-morning Friday, they weren't successful in getting the MVC and “one section of the Department of Labor and Workforce Development” up and running, an article at the Record reported. MVC offices stayed open an extra hour on Saturday to compensate for Friday's outage.

Finally, last Friday night, a “faulty piece of equipment on the Iowa Communications Network, the state-owned fiber-optic system,” caused emergency 911 calls made from cell phones across Iowa to be “routed to out-of-town” call centers, a story at the Des Moines Register reported. An AP story stated that “a vendor tried to install new software to fix the problem, but that made it worse.” In addition, the “backup system also failed to activate,” the AP stated.  The routing problem was finally fixed late Saturday morning.

PayPal: What's $92 Quadrillion Between Friends?

Back in 2007, Joe Martins closed a bank account at Wachovia Bank and got a letter inquiring about when he was going to pay off his US $211,010,028,257,303.00 outstanding balance.  Well, if that happened to Chris Reynolds, it would not be a problem.

According to a story last week at the Philadelphia Inquirer, thanks to the generosity of PayPal, Reynolds was worth $92,233,720,368,547,800.00. Heck, even after paying off Martins’ $211 trillion debt, Reynolds would still have a nice $92 quadrillion and change left over to maybe buy himself a nice country or three.

Alas, it was all a mistake. PayPal told Reynolds that his real account balance was a measly $0.00, but it would “donate an unspecified amount of money to a cause of Reynolds' choice,” as a way to make up for the error, CNN reported.

Texas Lubbock Power & Light Apologizes for Billing Error

While Reynolds and the folks at PayPal were having a good laugh at the quadrillion dollar accounting mistake, customers of Lubbock Power & Light were less amused at the billing error they were told about last week.

According to the Lubbock Avalanche-Journal, Lubbock Power & Light officials held a news conference last Friday where they confirmed that there was a software “billing glitch” with its new customer billing system. The error meant some 44 000 customers were undercharged for their June electric bills, and the difference was applied to their July bills. The simultaneous addition of a 9.7 percent rate hike that went into effect on 1 June, as well as an increase in LP&P’s standard service charge, caused the July bills to, in the words of the utility's spokespersons, “appear disproportionately high.”

LP&P apologized for the “unfortunate and regrettable” billing error and its “communication errors” in not informing customers about the problem before the higher bills started to arrive in customer mailboxes.

Also of Interest…

18 700 University of Virginia Students’ Social Security Numbers Printed on Brochure Address Labels

Computer Issues Delay X-ray and Scan Results for Weeks at Hospitals Across Kent, England

30 000 Ireland Welfare Payments Delayed by Computer Problems

Google Accidentally Makes Scotland's Jura Island Invisible

Another National Australia Bank Computer Problem Riles Customers

Taiwan Stock Exchange Experiences Update Problems

Virgin Australia Ticketing System Suffers Outage

Illustration: iStockphoto

This Week in Cybercrime: Jay-Z and Samsung Face the Music Over Data Privacy Violations

Can They Beat the Rap?

The musician Jay-Z, who famously rapped about having “99 Problems,” is dealing with the one-hundredth: a complaint (.PDF) filed with the U.S. Federal Trade Commission last week by the Electronic Privacy Information Center (EPIC) alleging that the “Magna Carta Holy Grail” smartphone app he and electronics giant Samsung released this month for use on Samsung Galaxy Nexus handsets demands access to considerably more information than should be necessary for users to enjoy the album of the same name. Think the NSA is keeping tabs on you? Among the “massive amounts of personal information” and “substantial user permissions” cited in the EPIC filing are the ability to: change or delete the contents a phone’s USB storage; autonomously pull down data from Internet; view the Wi-Fi or network connections the phone is using; see who users call and when; and get up-to-the-minute details of the handset’s GPS and network-based location.

“EPIC is asking the FTC to have Samsung suspend distribution of the app until its privacy concerns are addressed and the app falls in line with the Consumer Privacy Bill of Rights the Obama administration laid out in the spring of 2012,” says a story at Kaspersky Lab’s Threatpost.

As if those demands aren’t bad enough, the brain trust behind the app thought it would be fair to trade the ability to download Jay-Z’s latest hip-hop record in exchange for users’ Twitter or Facebook credentials as well as the right to post on their behalf to create social media buzz.

For its part, Samsung says the EPIC complaint is without merit. “We are aware of the complaint filed with the FTC and believe it is baseless. Samsung takes customer privacy and the protection of personal information very seriously,” a Samsung spokesperson said on Wednesday.

EPIC, for its part, is hoping that the data privacy precedents set by the FTC in in cases such as one it settled with Path, a social networking app that was accused of snatching users’ address book information without permission, will rule the day.

Read More

IT Hiccups of the Week: IRS Exposes Up to 100 000 Social Security Numbers Online

Last week saw a hodgepodge of IT-related snafus, errors and problems crop up. We start off our review with another accidental exposure of personal information online, this time involving the U.S. Internal Revenue Service.

Up to 100 000 Social Security Numbers Exposed Online at the IRS

The IRS admitted last Monday night that it had indeed posted a “substantial number” of Social Security numbers on a website hosting publicly available information regarding tax-exempt political organizations known as 527’s (a moniker that comes from the associated Internal Revenue Code (pdf)), a story at the New York Post reported.

The mistake was discovered by the California-based public interest group Public.Resource.org. The group had been investigating a different accidental IRS disclosure of thousands of Social Security numbers related to tax exempt organizations required to file Exempt Organization Business Income Tax Return Form 990-T(pdf), according to a story at the National Journal, which originally broke the story. The reason for the group's original investigation was that the IRS had asked the group to remove some information concerning non-profits on its website that the the IRS had sent it on a CD, and the group was curious to understand why.

According to IRS regulations, unless specifically prohibited, tax exempt political, charitable and similar types of organizations are routinely required to have their various tax forms made available for public review.  To be fair, the IRS warns those organizations not to put personal information on any tax form the agency is required to publicly disclose, but obviously some personal information (Social Security, Employer Identification, or Individual Taxpayer Identification Number) has to accompany those submitted tax forms for the IRS to track who is filing the tax forms. While typically there is an Employer Identification Number on the publicly available tax forms, detailed information linking the EIN to a real person or persons can be found in a related IRS form (Form SS-4 Application for Employer Identification Number) that is originally filed along with the other tax forms the IRS routinely discloses.

From what I can gather in the Public.Resource.org letter to the IRS (pdf), the information on the Form SS-4, which typically requires an individual’s Social Security Number, was able to be accessed online at the IRS 527 website if the SS-4 was sent to the IRS along with the other publicly disclosed tax forms. In other words, basically whatever information the 527 organization sent to the IRS, the IRS just went ahead and posted it regardless of whether it contained personal information or not.

Carl Malamud, the founder of Public.Resource.org, estimated that up to 100 000 Social Security Numbers were posted by the IRS at its 527 website. The IRS, after being notified by Public.Resource.org of the issue, said it had restricted all access to the tax information on 527 organizations “out of an abundance of caution." Online access to 527 organization information is still restricted as of today.

Public.Resource.org noted in its letter to the IRS that similar personal information disclosure problems involving routinely disclosed IRS tax forms have been known to exist for the past five years, and isn’t it time for the IRS to solve them once and for all? It also asked, “Why is there no easy way for people who find these problems to notify you?”

Both are good questions.

In a similar accidental information disclosure story from last week, ComputerWorld reported that the Japanese government admitted that the default settings were left untouched when the Ministry of Environment set up a Google email group account for those officials involved in its international standard negotiations on limiting mercury use. As a result, thousands of sensitive e-mails and associated negotiating documents were publicly accessible since January. The Japanese Ministry of Environment has said the information has now been removed, no doubt out of an abundance of caution.

UK Payday Lender Sends Threatening Debt Collection E-mails to Customers Who Didn’t Owe Money

UK payday lender QuickQuid sent e-mails to an unknown number of its customers threatening to turn their accounts to third party debt collectors if their debts were not repaid. The only trouble was that the customers receiving the threatening e-mail did not owe QuickQuid any money, the London Telegraph reported. The error was apparently discovered after those non-debt-owing customers started to call QuickQuid to find out what the heck was going on.

The Telegraph stated that QuickQuid placed a notice on its website stating, “An erroneous e-mail message was sent to a number of QuickQuid customers. Please note this was sent in error and should be disregarded. As a result, our call centre is currently receiving a high volume of calls and therefore customers may experience longer wait times than normal. We apologise for any inconvenience.”

It is hard to tell if QuickQuid was apologizing for the erroneous email or for the long wait times experienced by people calling to complain.

New York City Goes Back to Mechanical Voting Machines

Back in May, I wrote about the New York City primary elections to be held on 10 September for mayor, public advocate, and comptroller, and that if no candidate receives 40 percent of the vote, then a runoff election is required to be held. In such a case, New York state law requires that the runoff has to occur within two weeks.  This year, at least one if not two runoff elections are looking like a distinct possibility.

Unfortunately, the electronic voting machines on which New York City spent US $52 million cannot be reprogrammed in that short time frame (although the machine’s manufacturer, Elections Systems & Software of Omaha, Nebraska says the machines can be made ready if New York City is willing to pay it enough money to make it happen).

Last week, New York Governor Andrew Cuomo signed legislation that allowed New York City to go back to using mechanical voting machines for the primary elections, the New York Times reported, even though he said doing so was a “poor solution.” The legislation also extended the time between the primary and any runoff election by a week.  After Cuomo signed the legislation, the New York City Board of Elections prompted voted unanimously to use the lever machines for the primary, although the electronic voting machines will be used for the general election in November.

Everyone is hoping that a better solution is found over the next four years, although I wouldn’t make book on it.

Also of Interest…

Mitsubishi Australia Recalls 5000 2013 Model Outlander SUVs for Multiple Safety System Issues

Kenyan Equity bank Suffers Massive IT Failure

Hardware Failure Destroys Colorado Gambling and Medical Marijuana Business Licenses

Communication Failure Delays Flights at King Khalid International Airport in Saudi Arabia

Communication Failure Delays Flights at Jorge Newbery Airport in Argentina

IT Issue Delays Flights in United Kingdom

New Software Inflates Water Bills in Ohio

Photo: iStockphoto

IT Hiccups of the Week: Programming Error Exposes Up To 187 000 Indiana Family Aid Recipients

After a quiet June, July began with an uptick in the number of IT snafus, snarls and hitches. We start off with a “programming error” that led to the personal information on nearly two hundred thousand Indiana citizens potentially being sent to the wrong people.

Indiana Family and Social Services Recipients’ Information Inadvertently Disclosed

Last week, the Indiana Family and Social Services Administration (FSSA) announced that the personal information of up to 187 533 clients may have been accidentally disclosed to unauthorized individuals by a “computer programming error” in a document management system that supports the FSSA.  According to the FSSA announcement, the error which was made by its contractor, RCR Technology Corporation, “caused an undetermined number of documents being sent to clients to be duplicated and also inserted with documents sent to other clients.”

The type of information mistakenly sent included, “name, address, case number, date of birth, gender, race, telephone number, email address, types of benefits received, monthly benefit amount, employer information, some financial information such as monthly income and expenses, bank balances and other assets, and certain medical information such as provider name, whether the client receives disability benefits and medical status or condition, and certain information about the client’s household members like name, gender and date of birth.” Social security information on another 3 926 recipients may have also been mistakenly sent to the wrong people, the FSSA said.

The FSAA said that because the way its correspondence is printed and mailed, it can’t figure out exactly how many of its clients had their personal information accidentally disclosed. As of last week, it knows of at least 14 of its clients have reported receiving information that wasn’t theirs, the AP reported. The FSSA is telling anyone who receives someone else’s information should turn it into a local FSSA office or shred it.

While the programming error happened on 6 April, it wasn’t discovered until 10 May; the error was finally fixed on 21 May. When the FSSA was asked why the information wasn’t disclosed until 1 July, it tried to pass the buck to the Indiana’s Attorney General’s office which the FSAA said had to be involved with any disclosure and proposed solution.

The FSSA, along with the contractor RCR, has apologized and is promising to take step to ensure the problem doesn’t happen again. Apparently, this is all FSSA clients can expect in this case, for Indiana has decided to forego paying for a year of credit monitoring for its FSSA’s clients, which has become standard in these types of disclosure situations .  Instead, Indiana has “advised” FSSA clients regarding how they can protect themselves from identity theft that might result from the state’s error.

No doubt FSSA clients, among the poorest in the state, greatly appreciate the sage advice.

Victoria’s Emergency Dispatch System Goes Down for Third Time in Two Months

It looks like New York City isn’t the only one having trouble with an emergency dispatch system. According to the Age, a software-related problem with Ambulance Victoria’s computer aided dispatch system caused the Australian state’s ambulance services to be “plunged into chaos” last Friday night at around 7:40 pm local time. It was another three hours before operations returned to normal. While the Ambulance Victoria was able to switch to its manual back-up systems, some ambulances were delayed for as long as 45 minutes instead of the allowed 90 seconds before being dispatched, an AAP story reported.

The Age reported that Emergency Services Telecommunications Authority corporate affairs manager Rosie Mullaly explained the dispatch system had been experiencing “some slowness and lagging” Friday evening, and so a decision was made to go to the manual back-up system until “the issue could be resolved.” Mullaly said that problem was with “a secondary software system” that was seemingly interfering with the operations of the emergency dispatch system.

Victorian Health Minister David Davis in a bit of understatement called the latest emergency dispatch system problem, the third in the past two months, “not ideal,” but promised to look into the situation. Davis didn’t provide any deadline for when the investigation would be finished, however.

Detroit, Michigan’s new Police Chief James Craig was more forthright in expressing his displeasure with his city’s emergency service failure that coincidentally also happened on Friday. ABC News Station WXYZ in Detroit reported that around 5:30 am Friday morning, the “radio system used for communication between 911 dispatchers and Detroit's police, fire and EMS crews” failed and for some unknown reason the back-up communication system also failed to operate properly.  The city had to use the Michigan State Police communication system as a back-up.

Craig said he was “appalled” by the failure of the redundant radio system, especially since Detroit had a maintenance contract with Motorola, the radio system vendor, to ensure that such a failure wouldn’t occur. Apparently, periodic tests to ensure the back-up system would work in the event of a failure of the main radio system were not being performed. Craig stately flatly in a news conference that “this will not happen again;” at the time he was “flanked by a representative of Motorola,” WXYZ reported.

As of today, it is still unclear whether Detroit’s main radio system is back-up and operating normally or whether the city is still depending on the Michigan State Police radio system.

More Chrysler Automation Related Recalls

After recalling some 460 000 vehicles for software-related issues last month, Chrysler announced a recall of 840 000 vehicles, Reuters reported last Wednesday.

Reuters says that Chrysler issued five separate recalls covering 490 000 cars and SUVs for an active‐restraint head rest issue, and another 282 000 minivans for possible malfunction involving air bags.  The reason for the active-restraint head rest recall is because of “potentially faulty microcomputer components for head rests that are designed to move forward during rear‐end crashes.” Reuters quotes Chrysler as stating that, “The potentially faulty microcontrollers were installed in a supplied component. They entered the supply chain after the 2011 earthquake and tsunami in Japan caused a worldwide microcontroller shortage.”  TRW Automotive Holdings was the supplier of the microcontroller, Chrysler said.

The microcontroller recall includes 2011‐2013 Chrysler Sebring, Chrysler 200, Dodge Avenger and Jeep Liberty vehicles, as well as 2011‐2012 Dodge Nitro SUVs, Reuters states.

The air bag recall involves 2013 model year Chrysler minivans. In this case, “a side air bag software component was not programmed properly, which could affect proper deployment,” Reuters stated. Apparently, the wrong side air bag can deploy in a crash.

In addition, 69 000 2013 Ram 1500 pickup trucks with all-wheel drive were also recalled by Chrysler because of a potential electronic stability control software issue. Dealers were reporting that the electronic stability control lamp was illuminating, indicating the system was off when it wasn’t.

Chrysler wasn’t alone in announcing an automation-related recall last week. Toyota announced that it was recalling 185 000 vehicles world-wide “due to a faulty computer system in the power steering,” the Wall Street Journal reported. The WSJ stated that 109 000 Vitz compacts (aka the Yaris in overseas markets) made between November 2010 and March 2012, as well as 65 000 Ractis compacts (aka the Verso-S) made between August 2010 and August 2011 are being recalled. Another 11 000 Ractis compacts that are made for Fuji Heavy Industries and are sold by Fuji under the Subaru Trezia model name are being recalled, too.

Got all that?

Also of Interest…

Tesco Sells Cadbury’s Caramel Bunnies for 1p in Yet One More Pricing Glitch

Indiana Jail Blames Weather for Automatic Lock Failure

South Yorkshire England Police Have IT System Problems

Canadian Weather Service Abruptly Stops Online Reporting

Indonesian Government Prepares to Sanction Again Blackberry for Outage

Computer Problem Blamed for Premature Iowa Fireworks

Computer Issue Creates Confusion for American Airlines Passengers in La Crosse, Wisconsin

Photo: kr7ysztof/iStockphoto

IT Hiccups of the Week: Kansas DMV System Prevents Proper Voter Registration

It was a leisurely week in the land of IT-related snarls and snafus. We start off with the continuing saga of problems plaguing the Kansas Department of Motor Vehicles modernization effort.

Kansas DMV System Slows New Voter Registration

In May 2012, the Kansas finally introduced a new US $40 million computer system to handle car title and registration processes at the Department of Motor Vehicles. But more than a year later, the system continues to cause problems for the state and its citizens.

Most visible have been the intolerable DMV office wait times, as the system has proved to be less than dependable. In fact, Kansas is still holding back $2 million of the $25 million contract with the system developer 3M until system reliability improves. That can't happen soon enough for those drivers using the Wichita and Andover DMV offices who are still experiencing three to five hour waits and recurring computer failures.

But now there's another problem: Kansas voters aren’t being correctly registered to vote .

Back in 2011, Kansas legislators were considering passing a law that would require new voters to provide a birth certificate, passport or other documentation proving their citizenship when they registered to vote. According to a news story at the Lawrence Journal-World, Kansas Secretary of State Kris Kobach assured the legislature "that a new computer system being installed by the Division of Motor Vehicles could seamlessly provide citizenship information to county election officials across the state.” 

The law passed, but the legislature decided to delay its start date from 1 June 2012 to 1 January 2013 “to ensure the [DMV] computer system would be working properly,” the Journal-World wrote. (This was over Kobach’s strong objections—he wanted the documentation requirement in place before the elections last November).

Apparently, even that delay wasn’t long enough.

According to the newspaper, the DMV claims that it is sending the required proof of citizenship information to Kobach’s office, but most of the documentation doesn't seem to be finding its way back to county election officials. For example, the Journal-World says that county election officials in Douglas County report that some 80 percent of the voter registration forms it receives that were originally filed at the DMV are lacking the proper citizenship verification information. This compares to about 30 percent of all new voter registration forms filed (including those coming in from the DMV) since the law took effect in January.

Voter registration forms that don’t have the proper documentation are placed “in suspense” until the proper documentation is provided by the potential new voter. However, there is no requirement (or money budgeted) for Kansas county election officials to contact a potential voter about their missing information. So a new voter may well have provided the required information to the DMV, but still have a suspended registration.

Officials as of yet can't pinpoint whether these documents are lost due to human or technical error.

Kobach admits, according the Journal-World says, that “the DMV system isn’t working as intended but said citizenship documents were being forwarded by email,” which county election officials strongly dispute.

If something isn’t done soon to correct the problem, the paper says that “the ongoing issues leave the secretary of state vulnerable to allegations that the new requirement will suppress rather than encourage voter participation,” something that U.S. Supreme Court took a very dim view to recently.

The Kansas DMV may have more headaches in its future: the modernization of the driver's license process is supposed to go live later this year.

Read More

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More