Risk Factor

Yesterday afternoon at about 14:20 CDT, United Continental Holdings suffered a “network outage” lasting about two hours that affected its reservation and online systems. At least 200 flights around the world were affected, United acknowledged. At one point, United requested that the U.S. Federal Aviation Administration place ground-stops “to prevent flights from taking off to some of its hub airports, including San Francisco, Newark and Houston,” the Chicago Sun-Times reported. United Continental Holdings is the parent of United Airlines and, since a May 2010 merger, Continental Airlines.

Per usual, there were long check-in lines as boarding passes had to be written out by hand and jammed reservation telephone lines as frustrated and often angry passengers tried to change their flights. United allowed, with some restrictions, those traveling yesterday to make changes without incurring a penalty once the system came back up.  

United has been struggling to regain customer trust since it botched the introduction of its “new” integrated reservation system in early March. This outage won’t help. Many news articles today speak of how poorly United communicated with its passengers as being a special sore point.

Last year, United suffered a similar “network connectivity issue,” the cause of which it never explained, at least as far as I can find out. According to the Sun-Times, “United said its IT department is reviewing the cause of the outage, and said it could not comment on whether the integration of the [reservation] systems caused the problem.” Don’t hold your breath waiting for additional details.

When last year’s outage hit, before the reservation system merger, only United Airline’s passengers were affected. As I noted then, “once the two airlines computer systems are fully merged, any similar glitch will likely have increased flight and passenger consequences.” You would think that the “world’s largest airline” would have better network back-up capability, especially given the experience of last year.

In a bit of irony, the Wall Street Journal ran a story yesterday on how airlines are pushing hard to implement the completely “self-service airport” where passengers won’t see an airline representative until they are greeted by the flight attendant on their plane. The story talked about airlines like Alaskan and American, who are introducing self-tagging of baggage as well as JetBlue, which became the first U.S. airline to introduce self-boarding gates at MaCarran Airport at Las Vegas.

Air transport communications and information technology providers like SITA claim the move to self-service technology is, “more about throughput with the resources you have than getting rid of humans,” while the airlines say it is to allow them to give more attention to passengers with questions. Yeah, right. Just like what happened at banks when they introduced ATMs and online banking technologies.

Of course, I do suppose there are opportunities for employment for at least some number of airline workers being displaced by the self-service technology who could be retrained to help fix it when it inevitably breaks down.

Still, it will be interesting to see what happens when a self-service airline has a “network outage.” Have you been in a large supermarket when the checkout scanners stop working?

Update: 30 August 2012

Yesterday afternoon, United announced in an email to major news organizations that, "A piece of communication equipment in one of our data centers failed and disabled communications with our airports and website. We have fully redundant systems and we are working with the manufacturers to determine why the backup equipment did not work as it was supposed to."

The failure of backup IT systems to take over for a primary system that isn't working correctly has been a recurring theme this year in the Risk Factor, especially in the IT-related failures plaguing the world's stock exchanges.

What I found interesting about the United disclosure of the cause of its outage is how uncharacteristic it is. In the past, United has been very reticent to talk about any of its computer problems. One reason for the disclosure seems to be that United wanted to make it absolutely clear that the problem wasn't with its Shares reservation system and that its troubles were the result of something outside of its control. If it had been a reservation system issue, both passengers and investors would without a doubt have severely punished the airline's reputation, each in their own way.

In the end, 580 flights were delayed and 9 were canceled because of the two hour outage.

The recent rash of “technical problems” hitting the world’s stock exchanges continues unabated. When Indonesia’s Stock Exchange (IDX) went to open yesterday morning, only 84 of the 114 listed security companies were able to connect to the exchange. As a result, the exchange decided to cancel its usual 15-minute pre-trading session and delay its opening for 30 minutes until 10:00 local time to diagnose and repair the problem which the Jakarta Globe reported was centered at the IDX’s main remote trading system.

The severity of the problem, however, led IDX to move trading to its revamped Disaster Recovery Center (DRC) which was built partly in response to previous reputation-tarnishing outages, but apparently that move did not totally solve the problem.  The exchange did open at 10:00 as planned, but by 10:15, the connection problem reoccurred, and the exchange was shut down. Trading later resumed at 13:00, but the exchange then unexpectedly was shut down again 30 minutes early at 15:30. The premature closure was later blamed on the aftermath of the earlier technical problems as traders weren’t getting timely stock price information.  

There were some doubts last night whether IDX would open as normal today, but it seems to be up and running without incident.

IDX trading volume ended yesterday down two-thirds of what would be a normal day. Trading volume was especially low given that the IDX had been closed for a portion of last week on account of the Eid al-Fitr Muslim holiday. While IDX apologized for the outage, it has not explained the exact cause of the “technical problems” other than to deny speculation that the problems were a result of it being hacked.  Not unexpectedly, many traders were unhappy with the exchange's problems, but so were many investors; some are reportedly contemplating a class action lawsuit over the loss of trading time.

In other exchange-related news, last Friday Japanese regulators sanctioned officials of the Japanese Stock Exchange for an outage that occurred earlier this month. A defective router in its Tdex+ derivatives trading system was the cause, but the real anger was that for a second time this year, the backup systems didn’t kick in as expected (or promised).  According to Bloomberg News, regulators said that the TSE did not check its systems thoroughly enough after the February outage. TSE’s CIO promised that this time it “will figure out a solution for the system trouble” and quickly.

 Outside consultants are going to be brought in to examine the system, the Wall Street Journal reported. The consultants will “inspect all of [the TSE’s servers and network devices as well as its emergency backup systems.”

The regulators indicated that they will be keeping a close eye on TSE’s efforts, especially since it and the Osaka Securities Exchange are planning to merge in January 2013. TSE management said it will be again docking senior executive pay some 30 percent for one to two months in light of the latest incident.

Then last Wednesday, the Financial Times reported that NASDAQ and other exchanges were forced to cancel trades in Peet’s Coffee and Tea “after erroneous orders triggered a steep rise in its share price in a matter of seconds.” The share prices for Peet’s Coffee and Tea jumped 5 percent on “unusually high volume” within two minutes of the opening bell.

The FT further reported that, “Citing guidelines, NASDAQ said it could not name the firm or firms from where the trading error might have occurred,” so the culprit and the exact cause of the error will go unrevealed, at least for the moment.

Also on Wednesday, the Dow Jones Newswire reported that NASDAQ is preparing a report for the U.S. Security and Exchange Commission (SEC) because of a “software problem that may have caused violations of short-selling rules.” The Dow Jones story states that the software, which ensures the SEC short-selling rules are being followed, was inadvertently deactivated as other changes were being made to NASDAQ's systems. The situation apparently lasted a week before anyone noticed. The error is now causing financial firms and traders to review their trades during the deactivation period for violations of the SEC rules.

In addition, the Dow Jones story reported that the NASDAQ "market-data feed called ITCH (pdf) experienced service interruptions Tuesday and Wednesday, the exchange said in notes to customers. Minutes after Wednesday's issue, a backup version of the feed kicked in. Nasdaq on Wednesday also experienced an issue with technology meant to streamline automated trading.” Again, details on the causes of the problems are lacking.

All this is just more fodder for discussion at the SEC roundtable next month which it is holding “to discuss ways to promote stability in markets that rely on highly automated systems.”

-A Computerworld article reports that on 21 August, Internet security firm Prolexic revealed that it has found vulnerabilities in the tools hackers use to launch distributed denial of service (DDoS) attacks. In a written online statement, the company, which specializes in providing protection against DDoS attacks targeting corporate networks, said that flaws in the command and control component of the Dirt Jumper DDoS toolkit that has been associated with recent DDoS attacks make it possible for "counter-attackers to obtain access to the Command and Control database backend, and potentially server-side files.” That level of access, says Prolexic, would allow a network operator to halt an attack in real time.

-Thinking of downloading an “unofficial” app for your cellphone or tablet? News from Security vendor Arxan, which makes tools for protecting apps from tampering, may give you pause. The company has released the details of a study reporting that more than 90 percent of the apps being sold at Apple’s App Store (and all of the top 100 apps originally found in Google’s Android app marketplace, Google Play) have been hacked by cybercriminals. The hacked versions, which are subsequently posted in various online outposts, contain modifications that, from the consumer’s standpoint, range from the seemingly benign (extrication of ads) to the nefarious (malware that could steal data or turn a device into a zombie used to attack other machines). An Arxan spokesman says that for an experienced hacker, reverse engineering an app is trivial. “Android Java apps can be easily and trivially decompiled back to source code. Native Android and iOS apps are relatively easy to reverse-engineer as well,” the Arxan study says.

-Saudi Aramco, Saudi Arabia’s national oil and gas company, reported on 15 August that some of its systems had been hacked. Saudi Aramco insisted that the attack had not affected any core business systems, nor its petroleum production operations. On 17 August, a team of hackers calling itself the Arab Youth Group claimed responsibility for the online attack. Security experts note that the corroborating details the group provided to prove that it was behind the disturbance suggest a link between the Aramco attack and a new bit of destructive malware called Shamoon that is being used to target energy companies. Though Aramco has admitted that the network disruption was caused by a computer virus, it has not revealed the extent of the damage or whether its computers have been disabled. Shamoon reportedly covers its tracks by overwriting files and a PC’s master boot record, making it impossible to boot up the machine. According to a Computerworld article, the Arab Youth Group said the attack was its way of lashing out against the Saudi government’s support of Israel and the United States.

-According to the British Retail Consortium, cybercrimes cost U.K. retailers £205.4 million over the past year. Though that sounds like a pittance compared with the overall revenues that businesses rake in, the survey reports that retailers lost 0.75 percent of the value of online sales to theft or fraud, more than twice the loss rate they suffer in their brick-and-mortar operations. Because e-commerce sales increased by 15 percent in 2011 and now account for 10 percent of total retail spending in the U.K., the BRC concludes that that e-crime is the “biggest emerging threat” to retailers.

The question of ensuring that correct information is being entered into an aircraft’s flight management system has reared up again.  Earlier this month, Bloomberg News reported that a computer “technology issue” at United Continental airlines caused some of its pilots to receive an incorrect weight estimate for their flight. The Bloomberg story stated that in one instance, “United sent pilots a weight estimate that assumed the coach section of the Boeing Co. (BA) 737-900 was empty when it was full,” a discrepancy which the pilots didn’t catch for some reason. As a result, the pilots experienced unexpected difficulty in taking off.

Bloomberg also quoted in the story an e-mail from a United spokesperson indicating that incorrect aircraft weight was sent to several flights earlier this year because of incorrect passenger counts.  

United has since changed its pre-flight process, and now “is requiring its pilots to perform two additional, manual checks on weight and balance calculations before each flight” to keep the problem from recurring. This is a good idea, since word is that United plans to install narrower seats into its aircraft so it pack in more passengers per plane.

Also earlier this month, The Age reported on the Australian Transport Safety Bureau's release of a report that looked into how the cockpit crew of a departing Qantas Airways Airbus A380 flight from Los Angeles to Melbourne last October failed to realize that required take-off parameters had not been entered into the aircraft’s computer system. As a result, when the aircraft started its take-off roll, most of the flight mode annunciations that should have been present on the primary flight display were absent.

This situation nearly caused a decision to abort the take-off, the ATSB stated, because the aircraft's first officer (FO) "had previously been involved in an event in which a similar lack of annunciation had occurred due to an autothrust failure. Both the captain and FO believed the same failure had occurred during this take-off."

The first officer, the ATSB said, asked the captain whether the take-off should proceed given the possibility of an autothrust failure; the captain responded affirmatively since the "engine thrust setting was at full thrust and there were no warnings or indications of a serious problem."

However, according to the ATSB report, once the A380 reached 100 kts, the captain "realised they did not have the take-off speeds displayed" on the primary flight display, either.  Luckily, “the captain and one of the second officers had previously made a written note of the V speeds for the take-off.” With that information in hand, "The second officer called the V1 (decision) speed and both the second officer and captain called the Vr (rotation) speed. The FO rotated and the aircraft responded normally, lifting off at around 159 kts."

It must have been an interesting few seconds there while the notes with the V speeds were searched for.

The ATSB report indicated that the situation arose because of a series of crew distractions and task interruptions that occurred from the time the Airbus 380 left the gate to the time the aircraft was ready to take-off. The disruptions subsequently resulted in the procedures required to set the aircraft’s take-off parameters into the flight management system not to be followed properly (from reading the report, these procedures apparently must be followed in a very specific sequence, something that the cockpit crew apparently didn’t fully appreciate).

In addition, the automated warnings that something was amiss were seen but did not spark the requisite reaction. As the ATSB noted, “Twice prior to takeoff the aircraft's systems displayed a message to check take-off data. The first officer cleared the first message on the understanding that the take-off data would be checked and in the second instance, believing that it had been checked.”

The ATSB states that Airbus has since updated the A380’s flight management warning systems “as part of a planned upgrade program. This upgrade will issue a warning if take-off is commenced without the take-off speeds having been entered into the aircraft's systems.” In addition, Qantas has also updated its A380 standard operating procedures to account for another such situation possibly happening.

In a more recent incident involving Qantas, the Sydney Morning Herald reported this week that the airline has “stood down” two of its Boeing 747-400 pilots. According to the Herald, the pilots were “withdrawn from duty for their argument over the take-off calculations they should have punched into the plane's computer system as it sat on the tarmac at Dallas's international airport,” on August 14th as the plane was waiting to depart to Sydney via Brisbane.

Unfortunately, there are no more details about the argument other than apparently, “It got to a point where the two of them didn't feel they could work together.” Not all problems have technology at their root.

The University of Texas M.D. Anderson Cancer Center announced last Friday that it had yet another data breach this year. According to the Houston Chronicle, on the 13 July, an unencrypted thumb drive containing the names, birth dates, medical record numbers, and health information on 2200 patients had been lost by a medical student on a shuttle bus. The only "good news" is that the thumb drive did not contain anyone’s Social Security information or financial data.

In April, an unencrypted laptop containing information on some 30 000 M.D. Anderson Cancer Center patients was stolen from a faculty member’s home. The information included patient names, Social Security numbers, as well as detailed medical information on at least 10 000 patients, the Chronicle reported. As a result of the theft, the Cancer Center embarked on encrypting the information on over 26 000 computers.

What is interesting is that back in November of 2006, the Chronicle reported on a laptop that contained patient insurance claim information (including "patients' names, policy numbers, Social Security numbers, dates of birth, ZIP codes, medical procedures, and dates of service") on 4000 M.D. Anderson patients being stolen out of the home of an employee of PricewaterhouseCooper. The PWC employee was involved in reviewing patient insurance claims.

In the latter case, the information on the laptop was strongly encrypted. For whatever reason, the security executives at M.D. Anderson didn’t take that incident as a warning that maybe they should do the same for their own laptops and thumb drives—an opportunity missed.

BTW, a statement by M. D. Anderson on the latest incident says that it, “deeply regrets that this incident has occurred,” and that it is now buying encrypted thumb drives “for distribution to employees who handle sensitive data.”

According to a records search of the Privacy Rights Clearinghouse, which keeps a running tab on data breaches and the like, so far this year 387 357 medical-related records have been compromised in 68 reported incidents involving lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc. Last year there were 66 such breaches with 6 130 630 records compromised.

Photo: iStockphoto

“All of our systems are running as normal and for the majority of customers it is now business as usual. There will be reconciliations to some customer accounts as final outstanding transactions are processed.”

So said an important customer notice on Ulster Bank’s website yesterday, two months after the bank, along with other RBS Group-owned banks NatWest and RBS suffered a massive IT meltdown in June that kept millions of customers from accessing their accounts for nearly a week. Ulster Bank customers were especially hard hit, and many couldn’t access their accounts for weeks.

Ulster Bank’s statement above is also a month after a letter sent by Jim Brown, the Chief Executive of the Ulster Bank Group to its customers stated that, “I'm pleased to inform you that the recent technical difficulties at Ulster Bank have been resolved. For the vast majority of our customers, our services have returned to normal. However, given the scale of this incident, the clean up continues and a small percentage of outstanding transactions are being processed over the next couple of days.”

But according to an article in today’s Belfast Telegraph (which pointed out the bank’s latest proclamation of “business as usual”), the clean up of customer accounts still continues for many Ulster Bank customers. Last week, a BBC story noted that despite the urging by the Consumer Council to speed up compensation to its customers, Ulster Bank management has, without good explanation, dragged its feet in defining a compensation process for its customers to use.

Ulster Bank has set aside £28 million to cover its costs related to the meltdown; RBS Group as whole has set aside £125 million.

The continuing trouble at Ulster Bank has led at least one competitor to offer £100 to Ulster Bank customers as an incentive to change banks.

Speaking of other long-term fallout from IT system problems, the Queensland Health service payroll debacle dating from early 2010 continues to haunt its employees. As you may recall, the Queensland Health service installed a massively late, over-budget and under-tested payroll system in March 2010, which immediately experienced problems of over-paying, under-paying, or not paying staff. (I consider it one of the most mismanaged IT projects ever.) The service has been trying to correct the resultant errors with limited success but at a very high cost ever since.  According to a story in Gympie Times earlier this month, Queensland Health service staff continue to be paid incorrectly even as the government “hunts down” employees to recover past over-payments.

The Queensland government also announced last week that it plans to eliminate and then consolidate into one the eight antiquated, expensive and insecure payroll systems that currently support the new Department of Science, Information Technology, Innovation and the Arts. The government promises that it has learned from the Queensland Health service experience, and that it’s “going to be sensible about the implementation.”  I’ll let you know how sensible it turns out to be.

Finally, also in Australia, Bernie Carolan, the Victorian Transport Ticketing Authority Chief Executive, told a parliamentary inquiry  that is looking into the early decisions involving the Myki smartcard ticketing system were not very sensible from the start, reports the Herald Sun. The Myki development and roll-out has been years late and hundreds of millions of Australian dollars over-budget, and it continues to vex users.

Carolan stated that the original government Myki management team at the time wasn’t necessarily incompetent, but that it “poorly understood that, fundamentally, this [the Myki project] was going to become a software exercise.”

Sorry, but my vote goes to incompetence, especially after Carolan also stated that the management team never spoke to other transport authorities in Australia and elsewhere about their experiences introducing smartcards. Instead they spoke only to vendors trying to sell them smartcards.

In one of my all-time favorite TV shows, the HBO drama “The Wire,” detectives long stymied in their attempts to connect the leaders of a drug crew to the operation’s street-level sales finally cracked the case using a device that intercepted signals relayed between cellular handsets and cell towers. Though they had a warrant to conduct their remote surveillance, a ruling this week by a U.S. federal appeals court says that real world police don't.

On 14 August, the Sixth Circuit Court of Appeals in Cincinnati, Ohio, ruled 2 to 1 that a law enforcement agency does not need a warrant track the location of a suspect via the signals emitted by prepaid, no-contract cellphones (known colloquially as “burners”); such tracking, the court said, does not violate Fourth Amendment protections against illegal searches.

The judges were hearing the case of Melvin Skinner, who was convicted of drug trafficking and money laundering after his 2006 arrest while in possession of more than 500 kilograms of marijuana. U.S. Drug Enforcement Agency (DEA) agents homed in on Skinner—who was taking a cross-country drive in a motor home stuffed with the cannabis—by calling his burner and hanging up. Each time a call connected to the device, which was registered under an alias, the cellular network was able to provide a near pinpoint update on Skinner’s location. The court disagreed with Skinner’s assertion that he had a reasonable expectation of privacy with respect to the data transmitted between his handset and the cellular carrier.

Writing for the majority, Judge John M. Rogers said:

“If a tool used to transport contraband gives off a signal that can be tracked for location, certainly the police can track the signal. The law cannot be that a criminal is entitled to rely on the expected untrackability of his tools. Otherwise, dogs could not be used to track a fugitive if the fugitive did not know that the dog hounds had his scent. A getaway car could not be identified and followed based on the license plate number if the driver reasonably thought he had gotten away unseen. The recent nature of cell phone location technology does not change this. If it did, then technology would help criminals but not the police.”

For their part, federal prosecutors insist that Americans have no expectation of privacy in cell-site records because they are “in the possession of a third party”—the cellular carriers. And because warrantless cellphone tracking doesn’t require a physical interaction with the suspect’s handset, the government reasons, they don’t violate the Fourth Amendment.

But observers are not certain that the government’s argument and the Sixth Circuit Court’s subsequent reasoning will stand up to scrutiny. The Skinner case is "almost like having a safety deposit box in the bank," said Yasha Heidari, managing partner of the Heidari Power Law Group, in a TechNewsWorld article. Heidari explained that the expectation of privacy should not depend on the location of the box and whether its owner has physical possession of its contents.

In a January U.S. Supreme Court ruling in another case involving warrantless surveillance, the high court said that police must obtain a probable-cause warrant before attaching a tracking device to a vehicle in order to monitor a suspect’s movements. A Wired article reports that in the aftermath of that case, where the FBI, without a warrant, bugged the car of Antoine Jones, a Washington, D.C.–area drug dealer and tracked his movements for 28 days, the agency has since ceased attempting to gather data using 3000 other such GPS-tracking devices. Instead, says the article, “the agency is seeking to introduce cell-site data, obtained without a warrant.”

Though the difference in that case hinged on the justices’ finding that placing something on the suspect’s property constituted a search, that reasoning may ultimately be considered legal hair splitting. For better or worse, the issue of surveillance using the wireless signals emitted by consumer electronics will likely be heard by the Supreme Court soon, if for no reason but the lack of cohesion between this week’s Sixth Circuit ruling and a 2010 Third Circuit ruling requiring warrants in order to get cell-site location data. (The Fifth Circuit is currently reviewing a similar case.)

Either way, observers are not moved by the Sixth Circuit Court's desire to limit the advantages that technology affords criminals. The Electronic Frontier Foundation’s Hanni Fakhoury told TechNewsWorld that the circuit court "went out of its way to ensure a criminal isn't constitutionally insulated from obtrusive government surveillance." Framing the issue in its larger context, Fakhoury added that the ruling "…will apply to innocent people as well, who aren't using their cellphones to commit crimes."

Is concern over cellphone tracking by law enforcement simply paranoia? Afraid not. Just last month, a post in this blog, under the headline “Is Your Cellphone Snitching on You?” reported the results of an inquiry by the U.S. Congress which revealed that in 2011 alone, law enforcement agencies made 1.3 million requests for cellphone data—including calling records, location data, and the content of text messages.

-Today, there are reports that the web site of Russia Today is being hit by a denial of service attack. Exactly who is behind the attack and what their motive might be is unclear at this time, but speculation is that it may be connected to the Pussy Riot punk band conviction.

-On Wednesday, Reuters admitted that its blogging platform had been hacked again, and that another false story had been posted, this time claiming Saudi Arabia's Foreign Minister Prince Saud al-Faisal had died.

-In addition on Wednesday, word started to filter out that AT&T was being hit by a denial of service attack. AT&T admitted yesterday that the attack attempted “to flood our Domain Name System servers in two locations”, and that corporate customers had been affected, apparently some for at least eight hours.

-On Tuesday, the Financial Times reported that Wikileaks’ web site was back up after being down for 9 days because of a sustained denial of service attack. A Wikileaks spokesperson suspected it “was the work of a large organization,” although the person would not single out who it might be, such as the U.S. government with which it has been at odds with (wink, wink).

-Also on Tuesday, security researchers at Kaspersky Lab put out a call for help in deciphering how a new computer Trojan works. Kaspersky discovered the Trojan last week and dubbed it "Gauss", and tied its parentage to both Stuxnet and Flame. The purpose of Gauss seems to be to spy on financial transactions that take place mainly in Lebanese financial institutions.

A blog post at Kaspersky states:

“Despite our best efforts, we were unable to break the encryption. So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets. We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload.”

-A couple of interesting cyber security stories hit the news this week. On Monday, the Boston Globe reported on a survey recently conducted by computer security company CounterTack of 100 information security executives at companies with revenues greater than $100 million. The survey found that half of the executives admitted to computer network attacks in the past year, and that over a third did not believe that their organizations could stop future attacks. Being able to beat off advanced persistent attacks was a major worry of over 80% of those surveyed, with nearly half saying that they did not have the resources to keep such attacks at bay.

Making the CounterTack results a bit more worrisome was a survey report of nearly 10,000 executives in 138 countries released on Wednesday by consulting firm PricewaterhouseCoopers which indicated that despite the increase in IT security incidents and costs over the past few years, that only 39 percent of the executives said they reviewed their privacy policies annually, compared to 52 percent in 2009. As Jason Pett, head of PwC's U.S. internal audit services, remarked in a bit of understatement in a press release announcing the report, “No matter how strong a company’s data security policies and controls are, a company won’t really know the adequacy of its defense if it doesn’t continually verify that those defenses are sound, uncompromised and applied in a consistent manner.”

-There were also two off-beat cyber security stories this week as well. The first involved a 73-year-old Wisconsin woman who discovered that someone had been illegally taking out loans in her name for nearly a decade. She discovered this after she applied for a free credit report which was turned down because the credit monitoring service said that she had the incorrect address on her application. The woman only had applied for the credit report because she was one of the 100,000 plus individuals who had their Social Security and tax id numbers inadvertently posted on the Wisconsin Department of Revenue web site for three months this year; the state offered a year of free credit monitoring to those affected. So without the data breach, she may not have ever known her identity had been stolen.

The other story appeared in the Washington Post and claimed that motorists involved in traffic accidents should be wary of providing “too much” information to the other driver because it may lead to your identity being stolen. The story claims that the National Association of Insurance Commissioners (NAIC) is recommending that drivers in accidents “don’t share personal information, such as your driver’s license number, home address or even your telephone number.”  A NAIC official quoted in the story implies that ID theft is occurring as a result of staged vehicle accidents.

However, at least here in Virginia, the state Department of Motor Vehicles says that in case of an accident you need to get the driver’s name, address and contact details, including the driver’s license number, the license plate number of the vehicles involved, along with auto insurance information for the motorists involved.

The Post article is the first I have read about this being a potential source of ID theft. Anyone else read about ID theft being traced to a car accident, staged or not? And how real do you think the threat is?

A Bloomberg News story yesterday shed a bit more insight into what caused the uncontrolled electronic trading by the market making brokerage Knight Capital a few weeks ago. It seems a dormant legacy program was somehow "inadvertently reactivated", and then interfered with (or took over?) the firm's trading on 1 August, when a new software trading program Knight had installed began operation.  "Once triggered on Aug. 1, the dormant system started multiplying stock trades by one thousand,” Bloomberg was told by two unnamed sources who were briefed on the matter.

Hmm, dead software becomes reanimated, takes over a computer system, and then runs amok. I think I've seen that movie somewhere.

Also, according to the sources, “Knight’s staff looked through eight sets of software before determining what happened.” Almost sounds like there was a graveyard full of dead software ready to be reanimated.

Unfortunately, the article doesn't say anything more about how the dormant software awakened and interposed itself when it came to executing trades that were supposed to be initiated by the new software Knight had installed. It also doesn’t say why Knight would keep “eight sets of software” apparently resident in its execution environment. We’ll probably have to wait until the SEC finishes its investigation to find out what actually happened as well as, presumably, some juicy details about Knight's software development and system testing practices.

Nevertheless, the so-called “Knight-mare glitch” (among others) has spurred regulators in Asia and Australia to “clamp down” on high frequency trading firms, the Financial Times reported this week. The regulators are “unveiling sweeping proposals that would require traders to have controls on their systems and test them annually to prevent market disruption,” the paper said. Regulators want “pre-trade” risk controls in place to keep “aberrant” trading from happening, as well as trading “kill switches” when the risk controls fail.

In related news, the FT also reported that the recent glitch at the Tokyo Stock Exchange was traced to a bad “router in its Tdex+ derivatives trading system.” For reasons not yet explained, a backup router failed to kick in. This is the second time this year that a TSE backup system did not kick in when it was needed.

A router problem also caused problems for several hours yesterday morning at California’s Department of Motor Vehicles (DMV). According to the Associated Press, a problem with a California state router caused the DMV’s computers to become disconnected from the state’s network  from about 0800 to noon local time, no doubt exasperating and angering many customers. According to television station CBS Sacramento, the California DMV has apologized to its customers via Twitter 26 times alone since February for technical difficulties. The station has been investigating without much luck DMV outages that have apparently been taking the system down with some regularity since 2007.

By coincidence, several other California state agencies had computer networking problems yesterday as well, which the state blamed on an unexplained “circuit reconfiguration” issue.  This unrelated issue, the AP reports, was also corrected by mid-day yesterday.

Finally, Manganese Bronze, the company that makes London’s familiar black taxi, announced this week that “it is delaying the release of its unaudited half-year results for the six months ended 30 June 2012 ... due to the need to restate prior years’ financial results because of accounting errors that have come to light.” The errors could probably be labeled computer-related errors, though, rather than accounting ones.

According to a company statement, in August 2010, a new integrated IT accounting system, which was installed to help manage the company’s “complex global supply chain,” missed some key transactions during the cut-over: “Due to a combination of system and procedural errors, a number of transactions relating to 2010 and 2011 and some residual balances from the previous system were not properly processed through the new IT system. This problem led to the over-statement of stock and under-statement of liabilities in the financial statements of previous years.” As a result, the company understated by £3.9 million its historical losses.  

Manganese Bronze has been under heavy competitive pressure, or in its own words, “Trading in the first seven months of the year has been difficult and remains challenging with the Group continuing to trade at a loss.” Although it expects the situation to eventually improve, the current strong competition from Mercedes-Benz (which now provides nearly a third of the London taxi fleet) and some expected new competition from Nissan’s new low emission taxis may not bode well for the company’s future financial health. The FT reported that Manganese Bronze stock fell 34 percent on the news of the results restatement and now only has a market value of some £5 million.

A few months ago, you may remember, I blogged about two U.S. court rulings concerning the applicability of several different federal software-related-theft laws. The first involved the 2008 indictment of David Nosal on (among other charges)  violations of the Computer Fraud and Abuse Act (CFAA). Nosal was charged in part for convincing his colleagues to use “their log-in credentials to download source lists, names and contact information from a confidential database” belonging to his former employer allegedly for the purposes of aiding the start-up of a new competing company Nosal had created.

A 9 to 2 ruling (pdf) from the United States Court of Appeals for the Ninth Circuit, which was preceded by some epic legal wrangling, essentially said that the language in the CFAA was aimed at “the circumvention of technological access barriers” protecting an IT system rather than for the misappropriation of information residing there by someone who had permission to use the system. As a result, Nosal’s indictment under the CFAA was thrown out. The Appeals Court suspended its ruling until 8 August in order to give the U.S. Department of Justice (DoJ) time to file an appeal to the U.S. Supreme Court.

Last week, the DoJ decided that it would not appeal the decision, reports a CNBC story. One reason may be, as a story in Wired argues, that the U.S. military is prosecuting Pfc. Bradley Manning for the Wikileaks leaks under the CFAA. The Wired story states that the Ninth Circuit ruling “conflicts with at least three other circuit courts of appeal nationwide. Had the government appealed, the Supreme Court likely would have taken the case to clear up the conflicts.” Since the Ninth Circuit court ruling only affects federal case proceedings in Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon and Washington, and Manning is being tried in Maryland, the U.S. government may not have wanted to risk having a portion of its Wikileaks case thrown out by a Supreme Court ruling supporting the Ninth Circuit’s ruling.

The DoJ may also have wanted to avoid impacting the hundreds of other civil and criminal CFAA-related cases that have been brought in the past five years.

Nosal still faces other charges related to his actions, however, the CNBC story states.

The second court ruling I wrote about involved Sergey Aleynikov, who was found guilty under the National Stolen Property Act (NSPA) (pdf) and the Economic Espionage Act (EEA) of 1996 for stealing and transferring some proprietary computer source code from his former employer, Goldman Sachs. The Second Circuit Court of Appeals unanimously overturned (pdf) Aleynikov's conviction, in essence stating that neither act was applicable for the crime he was alleged to have committed.

At the time I wrote: “As far as I know, Aleynikov is not being pursued by Goldman Sachs or anyone else on any other civil or criminal offenses.”

Well, late last week Sergey Aleynikov was brought up on Class E felony charges by the Manhattan Dstrict Attorney, Cyrus R. Vance Jr. Accompanying the announcement of the indictment under New York State’s laws against the Unlawful Use of Secret Scientific Material and the Unlawful Duplication of Computer Related Material was a press release explaining that, “This [Goldman Sachs] code is so highly confidential that it is known in the industry as the firm’s ‘secret sauce’. Employees who exploit their access to sensitive information should expect to face criminal prosecution in New York State in appropriate cases.”

Aleynikov’s lawyer cried foul over the new indictment, saying, "the new prosecution…  violated the double jeopardy clause,” reported the New York Times. The Times also reported that Aleynikov’s lawyer informed the judge in the case that, in arguing against the charges, he was “preparing to file malicious prosecution lawsuits against Goldman Sachs and the federal government” for the original indictment and conviction that was tossed out by the Second Circuit Court. However, legal experts quoted in the Times didn’t think that Aleynikov’s lawyer stood much of a chance of making the double jeopardy argument stick.

If Aleynikov is convicted under these New York State charges, he can receive up to four years in jail, reports a Bloomberg Businessweek story.

Photo: iStockphoto