Risk Factor iconRisk Factor

This Week in Cybercrime: State Court Hack Punishes the Guilty and the Innocent

Up to a Million Washington Residents Affected by Hack of State Court Network

It’s likely that most of the people charged with crimes in Washington State between September 2011 and December 2012 have already been exonerated or have paid their respective debts to society. But for roughly a million of them (at least some of whom were found not guilty at trial, established their innocence before their cases went that far—or were in court simply to fight a traffic ticket) that moment of contact with the state’s court system may lead to another punishment: identity theft. The state government revealed this week that the website for the Washington State Administrative Office of the Courts was hacked and that the attacker may have gotten away with the names and social security numbers of anyone booked into a city or county jail in the state during that time. Officials also couldn’t rule out the possibility that some people charged in the state's superior court criminal system in 2011 or 2012, cited for driving under the influence between 1989 and 2011, or went to court for traffic-related offenses during that period might be at risk. The larger group's names and driver's license information may have been taken.

"The access occurred through a ‘back door' part of a commercial software product [Adobe Systems’ ColdFusion] we were using, and it is patched now," Mike Keeling, information technology operations and maintenance manager for the court system, told reporters on a conference call.

At the same time that state officials were offering up the usual assurances that no financial data such as credit card numbers was accessed as a result of the break-in, they revealed that the breach was discovered in February (and could have been exploited as early as last fall). Since then, the state has attempted to notify only the 94 people (that is not a typo) whose information they could absolutely confirm was taken. Of their delay in reporting the incident, the government employees insisted that they didn’t initially think any confidential personal details had been stolen—despite the fact that a large volume of data had been downloaded through the backdoor. "We regret that this breach has occurred and we have taken immediate action to enhance the security of these sites," Callie T. Dietz, the state’s court administrator, said in a written statement. Dietz also offered this fun fact: The break-in was the first time the court system’s network had been hacked. Hurray! Trophies and orange slices for everyone on the team!

Read More

Another Excuse For Why Tennessee Will Make State IT Workers Reapply for Their Jobs

You may recall that I recently wrote about the apparent success of New Hampshire’s new US $90 million Medicaid Management Information System (MMIS) that went live last month after years of technical difficulties, cost overruns and delays. This was a bit of good news, given that implementations of state Medicaid/Medicare systems have a notoriously bad track record, as the project problems in Maine, Ohio and Idaho have illustrated.

Alas, the difficulty with implementing these systems was highlighted once more when late last month Tennessee announced that it was stopping work on its Vision Integration Platform (VIP) after seven years of development. According to a story in the Tennessean, the state’s Department of Human Services made only a very brief, content-free announcement about the reasons behind its termination decision on a Friday, apparently in the time-honored ploy to reduce the political impact of the news. Tennessee has had a number of high-profile IT state project problems over the past few years affecting the Department of Children’s Services, the Department of Labor and Workforce Development, as well as with the state’s attempt to implement its Project Edison payroll system.

The VIP project was to provide comprehensive automated support for Temporary Assistance for Needy Families, Food Stamps, Medicaid and TennCare, as well as other state supported programs. A February 2005 press release (pdf) from the state’s Department of Human Services said that the $37 million project would take be completed by the summer of 2008.

However, the VIP project has repeatedly missed its deadlines, with the latest being 1 April 2013. A 2012 Tennessee government audit report (pdf) blamed the missed deadlines on “defects in current designs or new functionality requirements,” the Tennessean reported. The state has spent in excess of US $20 million on the VIP project so far, and is now trying to figure out what to do next, such as to start over or to try to use what has been developed so far.

The VIP fiasco is serving to help sell Tennessee’s Governor Bill Haslam’s controversial decision announced in early April to force all of the state’s 1600 information technology workers to reapply for their jobs. Another Tennessean story says that that the purpose of the decision is to weed out “those who can’t master the skills of a rapidly changing field.”  Mark Bengel, the state’s CIO said, apparently with a straight face, “This is really not about getting rid of people. It’s about making sure that we do have the skills and we have the ability to develop and retain staff in the future.”

Read More

IT Hiccups of the Week: Online Testing Problems Spread

Last week saw the ongoing effects of several IT-related problems initially spotted over the past month. We start with problems several U.S. states have been having with the online testing systems upon which they increasingly rely for carrying out all of their standardized testing.

More States Experience Online Testing Issues

In mid-April, I wrote about how 15 000 Minnesota students who were trying to take their Minnesota Comprehensive Assessment online math test either couldn’t sign in or had their tests ended prematurely. The snag was because of a server issue at the American Institutes for Research (AIR), which the state had hired to run the testing. Those kids weren’t alone; more testing problems cropped up about a week later, frustrating the plans of several other Minnesota school districts, Minnesota Public Radio reported. However, a story at the Minneapolis StarTribune says that AIR is denying that the latter testing problems had anything to do with its system. Nevertheless, the ongoing online testing issues forced the state’s education officials to announce last week that they are pushing back the deadlines by which the exams have to be administered. The math and reading tests were to have been completed by May 10 and science tests by May 17. No new completion dates have yet to be set.

The Minnesota students having trouble taking their online tests apparently have lots of company. According to an Associated Press story, students in Oklahoma, Kentucky and Indiana also have had difficulties with their online tests. Other news reports highlighted testing issues in Ohio and Alabama. Again, server-related issues seemed to be a root cause. The problems in these states were similar to those experienced in Minnesota: students couldn’t log on, suffered slow response times, or were kicked off in the middle of their tests. Testing in Oklahoma and Indiana is run by CTB/McGraw-Hill; in Kentucky, ACT oversees the student assessments.

The problems in Indiana not only have students on edge, but teachers too, as their merit pay is tied to student test scores. McGraw-Hill, which has a four-year, $95 million contract to operate the state’s online testing system, could be fined “$50 000 for each day last week the test was down,” WTRV Channel 6 in Indianapolis reported. McGraw-Hill apologized for the problems students had in both Oklahoma and Indiana, saying “We sincerely regret the problems we have caused,” and offering assurances that everything is fine now. The apology rang pretty hollow to many teachers and parents of students affected by the outages, however.

In Kentucky, the problems have caused state officials to suspend online testing for students who haven’t completed their tests and move back to the tried-and-true, paper-and-pencil approach. According to various news reports, state officials acted after ACT gave conflicting reports on the status of its testing system.

ACT was said to have “apologized for any inconvenience" caused.

Read More

This Week in Cybercrime: Nearly 90 Percent of All Websites Vulnerable

Secure Site? What Secure Site?

Researchers at security firm WhiteHat have some good news and some bad news. First the (sort of) good: for the third consecutive year, the number of serious vulnerabilities per website has gone down. But hold your applause, please. The average website was still a model of insecurity in 2012, with 56 holes.

To be sure, that's an improvement on the average of 79 per site in 2011 and an astonishing 230 per site in 2010. (By “serious vulnerability” WhiteHat means holes through which “an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news.”)

And now the bad news: Of the tens of thousands of sites the researchers looked at, 86 percent had least one serious vulnerability and a stunning 82 percent had a vulnerability that went unresolved for at least a full month. The most common vulnerabilities included: information leakage (55 percent of sites), cross-site scripting (53 percent), content spoofing (33 percent), and URL redirector abuse (13 percent).

Read More

Can Avatars Help Close the Doctor-Patient Communication Gap?

Communication in a doctor's office is like a marriage gone bad: As you describe to your doctor that what pain or symptoms you have, you realize that while the doctor may hear you, he or she isn't really listening. And in the other direction, you hear the doctor's words, but do you walk away with a full understanding of the diagnosis, what exactly you're being prescribed, why, and what the risks are?

In a recent article in the London Telegraph, fully 25 percent of National Health Service patients complained that their doctors discuss their conditions as if they weren’t there; 20 percent reported that “they were not given enough information about their condition and treatment;” and 25 percent confessed that “there was no one they could talk to about their worries and fears.”

Another recent story about doctors’ people-skills—and lack thereof—in the Wall Street Journal sums up the issue nicely: “Doctors are rude. Doctors don't listen. Doctors have no time. Doctors don't explain things in terms patients can understand.” The introduction of electronic health records has, ironically, often made things worse. A recent study noted that even as EHR systems have "allowed [doctors] to spend more face-to-face time with patients," they nonetheless often prove to be a "distraction" as doctor attention becomes focused on keyboards and not patients.

The WSJ article talks about how medical schools, malpractice insurers, and major hospitals are trying to improve patient-doctor communication, and for good reason: A break-down in patient-doctor communication is cited in at least 40 percent of malpractice claims. Further, research confirms that poor communication often leads patients to not follow their prescribed treatments regimens, whereas the opposite also seems to be true. Doctor-patient communication can be improved by having doctors coached in practices like the Four Habits, which, the WSJ says, “teaches doctors how to create rapport with patients, elicit their views, demonstrate empathy and assess their ability to follow a treatment regimen.”

If new technology is partly to blame, it can also help. An article at Health Management Technology describes the use of speech-based “virtual assistants” to capture patient data and automatically enter it into a patient’s EHR, for example, allowing the doctor to talk to the patient without the distraction of having to type what is being said.

Read More

IT Hiccups of the Week: Latest LivingSocial Alert Not What Customers Bargained For

Deal of the Week: Identity Theft

On Saturday, I and 50 million other LivingSocial customers received e-mail notices from company CEO Tim O'Shaughnessy telling us that we got more than we bargained for when we signed up to receive deals via the site. We got hacked.

Earlier in the week, our account details including names, e-mail addresses, birth dates, and encrypted passwords had been compromised. The e-mail told us that LivingSocial had already reset users’ passwords, mainly to force customers to create new ones. The note assured us that our credit card information was stored on a separate server that was not breached and thus did not fall into the attackers’ hands. Though LivingSocial also offered assurances that our stored passwords were encrypted, security experts laugh at the notion that a highly motivated hacker will be stymied by that barrier. What will the cyberthieves do with the information? PC World notes that they're not likely to run up a tab of discounted facials, massages or walking tours. “The bigger concern is what an attacker can do with your personal information,” the article notes. It warns customers to change their passwords on other sites if they made the all-too-common mistake of using a single password repeatedly. For its part, LivingSocial told us that “The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.” Have you ever noticed that no CEO ever sends out an e-mail that says, "We've never been hacked, but we're redoubling efforts anyway"?

Read More

This Week in Cybercrime: You Can Be Convicted of Hacking Even If You’re Not a Hacker

Hacking the Meaning of Hacking

It’s happened before: someone is convicted for robbery who never set foot inside the store that was held up, or serves a long prison stretch for murder, but is later exonerated when DNA evidence reveals that they and the perpetrator are not one and the same. But you rarely associate computer crimes with such miscarriages of justice. Nevertheless, in a California courtroom this week, David Nosal was convicted of six counts, including violating the federal Computer Fraud and Abuse Act—which went on the books in 1984 as part of an effort to make it easier for prosecutors to take down hackers bent on stealing data or in some way vandalizing the machines they infiltrate. The problem: There is no question about the fact that he did not hack into the system from which he acquired proprietary information. The jury came back with a guilty verdict despite having heard evidence that Nosal managed to convince—mostly through bribery—his former colleagues who were still employed at Korn/Ferry International, an executive search firm, to access the company’s database and turn over trade secrets. And get this: Those folks, who actually accessed the Korn/Ferry database with malicious intent, were not charged with any criminal wrongdoing.

But Nosal likely won’t don prison stripes anytime soon. If the pattern of this case holds, the verdict is, for the accused, merely a setback in a long and winding journey. The judges of the Ninth Circuit Court of Appeals in San Francisco have banged their gavels on this case on two separate occasions, and legal observers say they’re likely to see it again. Last year, the Ninth Circuit jurists decided that bringing charges against an employee for what amounts to a violation of his or her employer’s computer use policy is a bridge too far. That saved the bacon of Nosal’s aforementioned accomplices and got some charges against him related to data thefts back when he was a still a Korn/Ferry employee dropped. Furthermore, chances are good that a final decision on Nosal’s fate won’t be made until the Supreme Court weighs in. Stay tuned.

Read More

The Hacked Tweet That Took Down Wall Street

I am only surprised it took so long.

Yesterday, a “breaking news” tweet at 1:07 PM EDT from the Associated Press reported that two explosions had occurred at the White House and President Obama had been injured. The news immediately sent the Dow Jones Industrial Average down 143 points, as this graph at the London Telegraph shows. There's also a lovely animated display of the “flash crash” by market research firm Nanex LLC.

It took about three minutes for the tweet to be repudiated, and a bit longer for the AP to acknowledge that its Twitter account had indeed been compromised. According to its own story posted last night, all of the AP's Twitter accounts (including its Mobile Twitter account) were suspended and it was “working to correct the issue.” The AP also stated that the “Syrian Electronic Army claimed responsibility for the hack,” but added that, “This couldn’t be corroborated.”

The SEA, which supports the Syrian Government, has taken credit for a number of recent Twitter account compromises, including the  BBC, National Public Radio, CBS News and the President of FIFA. Last August, there were a number of fake news stories published regarding the Syrian conflict as well. Facebook is also a Syrian conflict social battleground.

A more intriguing statement in the AP story generated lot of speculation: “The attack on AP's Twitter account and the AP Mobile Twitter account was preceded by phishing attempts on AP's corporate network.” This suggests that someone in the AP downloaded a phish email (seemingly confirmed by AP reporter Mike Baker) which led to the compromise of the AP Twitter accounts. However, when asked for clarification, the AP refused any further comment, maybe on the advice of the FBI and the U.S. Securities and Exchange Commission, who are looking into the incident.

Read More

Face Recognition Failed to Find Boston Bombers

Recent comments by the Boston Police Department to the Washington Post confirm what Tech Talk said last week: Facial recognition was not a factor in the hunt for the Boston Marathon bombers.  According to the Post, “facial-recognition software did not identify the men in the ball caps. The technology came up empty even though both Tsarnaevs’ images exist in official databases: Dzhokhar had a Massachusetts driver’s license; the brothers had legally immigrated; and Tamerlan had been the subject of some FBI investigation.” Image analysis software has not caught up with the grimy reality of street photography: low-resolution, long-range images—often poorly focused, rapidly moving, and caught from odd angles.  

But if analytical cameras were not a factor last week, they may be soon.

NYPD Commissioner Ray Kelly, NY Mayor Michael Bloomberg, and Microsoft VP Mike McDuffie announce Domain Awareness SystemThe New York Police Department and Microsoft have built what they call the “Domain Awareness System.”  Early in April, before the Boston bombing, the New York Times described the combination of “more than 3500 cameras in public places, license-plate readers at every major Manhattan entry point, fixed and portable radiation detectors, real-time alerts transmitted from the 911 emergency system and a trove of Police Department data, including arrests and parking summonses.”

The system can spot cars on its watch list the moment they enter the city, and trail them by camera throughout their trip. The system also uses medium-time-scale scene analysis to spot and report changes in the relatively static features of a video image—a backpack left by a railing on a busy street, for example—while ignoring rapidly changing components like people and vehicles passing by. It’s like those spooky, ultra-long-exposure pinhole camera photos that turn a busy street into an empty post-apocalyptic dreamscape, unpopulated under the noonday sun. You can see demonstrations of the Domain Awareness System in action in this Today Show segment. (The technique has broad application to cluttered environments. See the LandTrendr analysis that researchers from Oregon State University and the U.S. Department of Agriculture used to transform Landsat satellite images of the Pacific Northwest into a pristine, cloud-free, season-by-season time series yielding a clear picture of bark beetle damage creeping across the region over 23 years.)  

Why is the NYPD going public with a description of its high-tech crime-fighting tools? New York Police Commissioner Ray Kelly says that knowing the odds against them will deter potential terrorists. We should also note that the NYPD and Microsoft have recently agreed to market the system, and New York stands to receive 30 percent of the gross revenues on the multi-million-dollar licenses.

Read More

IT Hiccups of the Week: Excel Spreadsheet Error Heard Around the World

After the previous week’s quietude, IT-related problems, issues and faults returned to their normal rate of occurrence. We start off with a human-induced spreadsheet error that is reverberating around the economic and government financial policy worlds.

Oops: Excel Error Calls Into Question Widely-Cited Economic Study on the Impact of Government Spending

Economics has long been called the “dismal science.” Last week, an error in an Excel spreadsheet used by two Harvard University professors served to help reinforce that moniker.

Back in 2009, Carmen M. Reinhart and Kenneth S. Rogoff published a book with the provocative title, “This Time It’s Different.” The professors asserted in their book that, among other things, their empirical research demonstrated that when advanced economies’ public liabilities reach or exceed “the important marker of 90 percent of GDP,” long-term economic growth and stability are placed at peril. Upon reaching that 90 percent of GDP point, the two argue, governments need to act swiftly to rein in public spending or increasingly risk stifling future economic recovery and growth.

Reinhart and Rogoff based their conclusions, which many governments (especially in Europe) embraced as a sound rationale for their current policies of cutting public spending, on what the two said was “clear” and “sharp” empirical analysis of “comprehensive” financial data. The information they collected “cover[ed] sixty-six countries across five continents” going back to the early 1800s. The two professors have not been shy about promoting the importance of their research; a quick scan of the book’s website turns up this statement: “An important book that will affect policy discussions for a long time to come, This Time Is Different exposes centuries of financial missteps.”

The book's analysis drew the expected reactions from the two main opposing factions of economists: those who support Reinhart and Rogoff and their call to reduce high public debt levels and governmental spending, and those who argue that in tough economic times, it is imperative that governments increase spending to stimulate their economies. The latter group, while arguing that Reinhart and Rogoff’s conclusions were wrong, have been off-footed by the duo’s seemingly strong, data-driven analysis of 200 years of financial data. That is, until last week.

Last Monday, Thomas Herndon, Michael Ash, and Robert Pollin, three economists at the University of Massachusetts, published a review of the conclusions reached by Reinhart and Rogoff using the original data set upon which "This Time It's Different" is based.  What did they find? The Massachusetts economists say they spotted “coding errors, selective exclusion of available data, and unconventional weighting of summary statistics.” These, they said, “lead to serious errors that inaccurately represent the relationship between public debt and GDP growth among 20 advanced economies in the post-war period.” The takeaway: “when properly calculated, the average real GDP growth rate for countries carrying a public-debt-to-GDP ratio of over 90 percent is actually 2.2 percent, not -0.1 percent, as published in Reinhart and Rogoff...average GDP growth at public debt/GDP ratios over 90 percent is not dramatically different than when debt/GDP ratios are lower.”

Reinhart and Rogoff, as they admitted after the UMass paper was published, accidentally forgot to include the first five rows covering data from five countries (Australia, Austria, Belgium, Canada, and Denmark) from an Excel spreadsheet in their analysis—a “coding error” which they said was “a significant lapse on our part.” Others who were being nice called the oversight a "numbskull error." However, the professors took exception to the charge of deliberately manipulating the data to match their beliefs about the need for government austerity, and insisted that their conclusions were not much affected by the error anyway.

As expected, discovery of the error has caused quite a stir over the veracity of Reinhart and Rogoff's findings and the resulting implications for public economic and financial policies across the world. In other words, does high public debt indeed cause slow economic growth (as Reinhart and Rogoff argue) or does slow economic growth cause high public debt? I'll let Risk Factor readers argue the merits of either case if they are so inclined.

The Excel kerfuffle probably doesn’t matter much in the long run, as economists are fond of saying, given that most governmental economic data (especially old data) is so noisy as to be pretty useless for detailed analysis. Just as important is the fact that no one seems to understand how to spur economic recovery happen anyway, regardless of what side of the economic policy debate they sit. Further, as this commentary at Forbes insightfully notes,  “In reality, the only lesson to be drawn from this episode is that academic economics, like many social sciences, is grounded in hubris and pseudoprecision. And that the modern urge to demand an academic study to ‘prove’ or justify inherently complex and ambiguous decisions is antithetical to clear thinking.”

The other lesson the Reinhart and Rogoff Excel error shows is that “this time it isn’t different,” at least in regard to human-related data error. Two compilations of previous spreadsheet and other data-driven errors aptly demonstrate the point.

H&R Block Sued Over Tax Filling Issues That Delayed Refunds

As we noted a few weeks ago, H&R Block, one of the world's largest tax services providers, had a problem electronically transmitting Form 8863 (American Opportunity and Lifetime Learning Credits) to the IRS. The issue delayed refunds for hundreds of thousands of taxpayers. At the time, H&R Block’s CEO said that he “sincerely” apologized for the filing snafu. However, that apology hasn't counted for much in some quarters, apparently, since according to a story at Consumer Affairs, lawsuits in California, Michigan, and Illinois have been filed against H&R Block. The lawsuits are generally claiming that the company did not live up to its advertised 100 percent accuracy claim, and or failed to provide adequate compensation to those affected by the refund delay.

And speaking of tax filing problems, on the evening before U.S. tax returns were due on 15 April, Turbo Tax Online was “intermittently unavailable” for about an hour, which scared more than a few last minute filers, according to Forbes.  No lawsuits are expected to be filed over the temporary increase in taxpayer heart rates brought on by the issue, but you never know.

In what is hopefully the last of the tax season-related computer problems, a faulty switch and router made it impossible for Utah taxpayers to access the state's tax filing website on 14 April. Utah addressed the issue by giving residents an extra day to file their state tax forms.

Server Malfunction Affects 15 000 Minnesota Students Taking Math Test

Freaking out over a problem with your tax software probably pales in comparison to the emotions experienced by the 15 000 Minnesota students who were trying to take their Minnesota Comprehensive Assessment online math test last Tuesday, but either couldn’t sign in or had their tests ended prematurely.  According to the Star Tribune, American Institutes for Research, the testing vendor, attributes the snafu to a problem on one of its servers. A story at the Pioneer Press quoted Charlene Briner, chief of staff for the Minnesota Department of Education, as saying the problem was “unacceptable.” In response, the vendor stated that while the company’s online testing system isn’t perfect, “it's pretty damn good.” Maybe the vendor should solicit the opinions of the students who had their test ended mid-way through.

Briner said that the affected students will be able to pick up where they left off and review their answers or restart their tests. No doubt the students, who just love taking math tests, were overwhelmed with feelings of joy on hearing that.

New Hampshire’s New Medicaid System Has a Few Problems After All

After telling everyone to expect problems with the roll-out of the state’s new Medicaid Management Information System (MMIS) at the beginning of the month, and then saying that there weren’t any after all, New Hampshire’s Health and Human Services Commissioner Nick Toumpas reversed course again last week. Toumpas admitted to the Union Leader that there were indeed some issues cropping up. He noted that some small Medicaid and Medicare providers have had problems since the system rollout commenced—mainly, the suspension of their submitted invoices for payment. Of the bounced back invoices, he said that, “It was unclear if it was their problem, whether they submitted something incorrectly, or whether it was getting kicked out legitimately.” Interestingly, he did include in his statement the alternative that there may actually be something wrong with the MMIS itself.

To his credit, Toumpas is still allowing payments to be made to the small providers with provisos for getting the money back if it is indeed a problem on the providers’ end, and not with the new MMIS.

American Airlines Still Not Explaining Cause of “Software Issue;” ERCB Outage Continues

American Airlines has still not given a reason for the “software issue” that affected its reservation system and disrupted flights last week, according to the LA Times. It is doubtful that it ever officially will.

And the routine hardware upgrade to the computer system servers at Alberta’s Energy Resources Conservation Board (ERCB), which went bad on 2 April (mentioned here last week), continues. The ERCB reports some progress in fixing the problem, but remains uncertain as to when its servers will be finally fixed.

Also of interest…

Computer Issue Excludes Eligible Jurors in Polk County, Florida

Google Gmail Outage Blamed on Log-in System

Singapore Check Clearing System Hit by Technical “Glitch”

Photo: John Turner/Getty Images

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Load More