Risk Factor iconRisk Factor

This Week in Cybercrime: Hackers More Dangerous than Al Qaeda?

U.S.: Hackers More Dangerous than Al Qaeda

It seems that cybercriminals and politically motivated cyberattackers have vaulted to the top of the list of security threats to the United States. On Tuesday, James R. Clapper, the nation’s director of national intelligence told a Senate committee that hackers not affiliated (or at least not directly linked) with another nation-state could very well infiltrate the raft of poorly secured U.S. networks that control critical infrastructure such as power generation facilities. To impress upon the legislators the seriousness of the threat, he ranked cyberattacks ahead of the brand of terrorism practiced by Al Qaeda. Later in the week, Gen. Keith Alexander, the head of the Defense Department's new U.S. Cyber Command told another collection of senators that his group is setting up its own hacker teams equipped to retaliate in the event of a major cyberattack on U.S. networks. Coincidence? Not likely, says a Tech News World article that considers the congressional testimony to be part of a shift in U.S. military strategy “pointing toward a renewed emphasis on the nation's digital defenses.” The coordinated meet and greets, say some observers, simply indicate a rejiggering of the executive branch’s funding wish list.

“The problem is not so much that cyberattacks are suddenly worse than they've been, but rather that [online attacks’] relative standing as a threat continues to rise as Al Qaeda is further dismantled,” Andrew Braunberg, a research director at information security research firm NSS Labs, told Tech News World.

U.S. Cyberattack Sentry Shut Down

Also just in time to make the U.S. government's point about the cyberattacks was the revelation this week that the NIST National Vulnerability Database (NVD), the government’s clearinghouse for information on malware and cyberattacks, was hacked and has been out of commission since last Friday. Security researchers apparently found malware on two NVD servers. But in an ironic twist, the site, which is set up to issue warnings when new viruses are propagating across the Internet, failed to sound the alarm about its own security problem.

According to a Business Insider article, Finnish security researcher Kim Halavakosk wondered why it has taken so long to get the site back up, so he e-mailed NIST to find out. He posted a response from a NIST PR rep to his Google+ account. The reply e-mail summed up the situation but offered few details regarding how the hackers got in. But the PR person was quick to assure the public that:

“Currently there is no evidence that NVD or any other NIST public pages contained or were used to deliver malware to users of these NIST Web sites. NIST continually works to maintain the integrity of its IT infrastructure and acts to limit the impact of malware on its systems. We regret the impact this has had on our services.”

Is Your Android App Spying on You?

On Wednesday, the Data Center of China Internet (DCCI) released a report that should make all Android phone users suspicious of what’s lurking inside their handsets. According to the report, roughly 35 percent of Android apps sold in China secretly steal user data even when the information has not in any way related to the app’s function. Although the 1400 apps the research institute looked at were mostly sold at Chinese app markets that Google doesn’t control, it still illustrates cybercrooks’ focus on Android as well as the operating system’s vulnerability (especially the myriad jury-rigged versions that are steadily taking over China’s mobile device market).

Apparently up-to-the-minute information on where people are is becoming a big quarry for cybercriminals. DCCI found that more than half of the apps tracked users’ locations. More than 20 percent rifled through users’ address books, while others read call records, and text histories. But the most unnerving thing may be the capability of some of the apps DCCI looked at to secretly send texts and make calls right under the user’s nose.

Ovum analyst Shiv Putcha summed it up best when he noted in a blog post that, “Android is fragmenting beyond Google’s control, and Google’s Android strategy is rapidly coming undone in China with no immediate prospects for correction.”

Major Phishing Campaign Targets Australian Banking Customers

Early Thursday morning, hundreds of thousands of Australians woke up to malware-laced e-mails in their inboxes. The message, crafted to seem like it came from Westpac, Australia’s oldest bank, carried the subject line "Westpac Secure Email Notification" and the sender address "secure.mail@westpac.com.au". It instructed recipients to open an attachment that would unleash a virus. Security firm MailGuard, which identified the e-mails as fraudulent by 9:30 that morning, told the Sydney Morning Herald that by the middle of that afternoon, it had blocked more than 300 000 of the bogus alerts routed to its clients' inboxes. The first wave of messages went largely undetected, says MailGuard, because they originated from more than a thousand unique source IP addresses—many of them outside Australia.

Photo: Peter Dazeley/Getty Images

If At First You Don’t Succeed, Recall Your Product

Heaven forbid you’re cruising down the road in your new car and discover at the worst possible time that the passenger side airbag is inoperable. To avoid having its customers suffer that fate, Nissan is recalling thousands of vehicles across several model lines. The automaker filed a document with the U.S. National Highway Traffic Safety Administration (NHTSA) on 13 March indicating its plans to have drivers of 2013 model year Altimas, Pathfinders, Sentras, the Nissan Leaf electric vehicle, and the JX35 crossover SUV (from the automaker’s Infiniti luxury marque) bring them into dealers to have them inspected.

Nissan told NHTSA that the problem stems from improperly made sensors that are part of the occupant detection system that tells the airbag whether or not the passenger seat is empty—or that the passenger is a child or small adult, in which case it shouldn't fire because they might be seriously injured by the force of the bag inflating. The sensors are, in other words, essential to the airbag's do-no-harm mandate, a flawed sensor may improperly indicate that the airbag's deployment conditions have been met.

According to an article in USA Today, Nissan says it discovered the problem at its Tennessee manufacturing plant, where some vehicles rolling off of assembly lines had airbag warning lights illuminated.

Here's another thing you don't want happening as you cruise down the highway: sudden braking without your having pressed the pedal, or hard braking when you intend only to slow down slightly.

Within a day of Nissan’s recall announcement, Honda revealed that it is recalling nearly a quarter million vehicles because of an electrical problem that causes those very conditions. Honda was pushed into issuing the recall after a NHTSA investigative report said the likely culprit of the unintended braking is an electrical capacitor [pdf] that causes the brake assist feature of Honda cars’ stability control system to randomly kick in. Brake assist, a safety feature intended to reduce stopping distance in emergency braking situations, is integrated with traction and stability control, which selectively apply torque and braking to each of the vehicle’s wheels.

Read More

IT Hiccups of the Week: Royal Bank of Scotland Angers Customers Yet Again

There was wide variety of IT-related snafus, glitches and uffdas this past week. We start off with an oldie but goodie: another IT glitch at the Royal Bank of Scotland and its subsidiaries.

Hardware Fault Affects Customers of Royal Bank of Scotland Group

Last summer, you may recall, a software update that went awry took out the IT systems supporting the Royal Bank of Scotland and its subsidiaries, NatWest and the Bank of Ulster, for quite some time; in the case of Ulster Bank, nearly two months went by before its IT systems were finally stabilized and customers had unfettered access to all their accounts. Needless to say, RBS Group customers were not amused by the long “disruption and inconvenience” as RBS Group chairman Stephen Hester called it. RBS promised its customers as well as the government that it would take steps improve the reliability of its Banking systems. Some £175 million (US $263 million) was eventually spent on customer compensation and system improvements.

Well, RBS Group managed once more to inconvenience its customers, which number 17.5 million, last Wednesday evening when a “hardware fault” disrupted access to all customer accounts. According to various news outlets such as the Financial Times, all three banks’ customers could not access ATMs, use RBS Group issued credit cards, or access any online or telephone banking services.  Some customers, the BBC reported, alleged that the ATM machines ate their banking cards as well.

RBS claimed that the hardware error—which it says was not related to the 2012 event—was fixed within about three hours, although some customers were still complaining of problems with accessing their bank accounts well into Thursday morning. RBS, which is getting very practiced at it, issued an apology Thursday morning “for the disruption our customers experienced” and promised to help customers who faced any problems because of the outage.

The apology hardly mollified RBS Group customers, especially when, in a bit of bad timing, it was disclosed on Thursday morning that RBS Chairman Hester would be receiving a bonus worth £700,000. Many customers were angrily asking, “For what?”

Three States Experience DMV Issues

Last week, the Motor Vehicles Departments in Georgia, Texas,  and Kansas all reported having IT problems.

Read More

This Week in Cybercrime: Judge Upholds LinkedIn's "If You Put It on Our Site, Don't Blame Us If It Gets Out"

LinkedIn Not Liable

Earlier this week, a U.S. District Court in Northern California dismissed a class action lawsuit accusing LinkedIn of failing to deliver the level of security the plaintiffs say the social networking site’s privacy policy promised. A June 2012 data breach resulted in more than 6 million LinkedIn passwords being posted online. A few weeks later, a woman from Illinois and a woman from Virginia filed the suit—after learning that LinkedIn had encrypted the passwords with an outdated algorithm. Judge Edward Davila noted that the suit should not proceed to trial for several reasons. The plaintiffs, he said, wrongfully assumed that by paying for the site’s premium upgrade, they were entitled to a higher level of encryption for their data than users of the free version. Davila pointed out that, although the accusers admittedly never read the site’s privacy policy, it read,

“…we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information.”

The judge also failed to see how the posting of the passwords had, as the plaintiffs claimed, caused any economic harm or put them at future risk of identity theft.

Google’s Ups and Downs

It seems that the one-year anniversary of Google Play is not turning out to be the auspicious occasion Google had likely imagined. On Wednesday, the KrebsonSecurity.com blog reported that a new botkit is being used to trick Android users into downloading fraudulent banking apps capable of intercepting multifactor authentication messages from banks. The apps then send text messages with the purloined login credentials to the phony apps’ creators. That news appeared in the context of data that Google itself released on the Android developer blog showing that Android users can’t help but be plagued by malware. Google admitted that, based on data gleaned from mobile devices that accessed its app store during the two-week period that ended on Monday, only 16 percent of Android users have bothered to update their operating systems to the newest, safest versions. More than 40 percent of people with Android mobile devices still run a two-year old version known as Gingerbread. Kaspersky Lab, which keeps track of attempted malware installations on Android, reported that as of the end of 2012, Gingerbread was the most commonly targeted version of Google’s OS. (A SecurityLedger.com article notes that Apple, by contrast, has no such migration problems with its gadgets; 98 percent of all iPhone and iPad users run one or the other of the latest two iterations of iOS.)

The news isn't all bad about Google, though. The search-and-now-just-about-everything-else company did something this week for which it should be lauded. It struck a blow against the U.S. government surveillance program that has expanded rapidly since the passage of special laws that allow agencies such as the FBI to much more easily demand information from Internet service providers, credit bureaus, banks, and businesses like Google—all without a warrant. The demands for information, called National Security Letters (NSLs), come with a built-in gag order barring the companies receiving them form even mentioning that they’ve received them. But on Tuesday, Google became the first company to give a hint of the extent to which the FBI uses this authority. It published a document giving ballpark figures for the number of accounts for which it turned over information in a given year. For instance, it reported that in 2010 it divulged information on “2000–2999” customers; in 2009, 2011, and 2012, the range was “1000–1999.”

Although the U.S. Congress requires the FBI to disclose the number of times it issues NSLs (it sent out more than 16 000 in 2011), Google didn’t report exact numbers. “This is to address concerns raised by the FBI, Justice Department and other agencies that releasing exact numbers might reveal information about investigations,” Richard Salgado, a Google legal director, wrote in a blog post. But at least the existence of the NSLs and the potential for abuse is out in the open. The FBI continues to have this power to say information about you is “relevant” to an investigation and get unquestioned access to records—even after a 2007 Justice Department inquiry revealed that after the September 2001 terrorist attacks, the FBI regularly ran afoul of the relaxed rules regarding the acquisition of evidence.

U. S. Electronic Health Record Initiative: A Backlash Growing?

There seems to be a slow but steady backlash growing among healthcare providers against the U.S. government’s $30 billion initiative to get all its citizens an electronic health record, initially set to happen by 2014 but now looking at 2020 or beyond. The backlash isn’t so much about the need for, or eventual benefits of, electronic health records but more about the perceived (and real) difficulties caused by the government's incentive program and a growing realization of the actual financial and operational costs involved in rolling out, using, and paying for EHR systems.

The backlash began to publicly surface last September when the U.S. government accused healthcare providers of “upcoding,” i.e., claiming with a single click on a field in a electronic health record to have provided a medical service or procedure when it wasn’t really performed. Kathleen Sebelius, the current HHS Secretary, and Eric Holder, the Attorney General, sent a letter to five major hospital trade associations (pdf) warning them that electronic health records were not to be used to “game the system” and “possibly” obtain “illegal payments” from Medicare. The letter said that Medicare billing is being scrutinized for fraud, and implied that those using EHRs to bill Medicare will be scrutinized even more carefully.

Healthcare providers were outraged by accusations in the letter, and said that the reason for the increased billing was that EHRs facilitated billing for services they used to provide to the government without charging for them.

About the same time, professors Stephen Soumerai from Harvard Medical School and Ross Koppel from the University of Pennsylvania wrote an article for the Wall Street Journal contending that EHRs don’t save money as claimed. They wrote that, “…. the most rigorous studies to date contradict the widely broadcast claims that the national investment in health IT—some $1 trillion will be spent, by our estimate—will pay off in reducing medical costs. Those studies that do claim savings rarely include the full cost of installation, training and maintenance—a large chunk of that trillion dollars—for the nation's nearly 6000 hospitals and more than 600 000 physicians. But by the time these health-care providers find out that the promised cost savings are an illusion, it will be too late. Having spent hundreds of millions on the technology, they won't be able to afford to throw it out like a defective toaster.”

The professors went on to say that, “We fully share the hope that health IT will achieve the promised cost and quality benefits. As applied researchers and evaluators, we actively work to realize both goals. But this will require an accurate appraisal of the technology's successes and failures, not a mixture of cheerleading and financial pressure by government agencies based on unsubstantiated promises.”

Read More

IT Hiccups of the Week: NASA Rover Curiosity Placed Into Safe Mode

It’s been a fairly quiet week in regard to IT glitches of any major significance. That said, there were still a sufficient number of snarls, snafus and errors to interfere with work as well as generally upset, annoy and outrage a lot of people. We start off this week's review with an issue affecting NASA’s $2.5 billion Mars rover mission.

NASA Curiosity Goes into Safe Mode Due to Memory Issue

Responding to a problem it detected Wednesday morning with the data coming from the Mars rover Curiosity, NASA announced on Thursday that it had “switched the rover to a redundant onboard computer in response to a memory issue on the computer that had been active.”

NASA said that it will shift the rover from its current “safe mode” operation to full operational status over the next few days as well as troubleshoot what is causing the “glitch in flash memory linked to the other, now-inactive, computer.”

The NASA press release stated that on Wednesday the rover communicated "at all scheduled communication windows…but it did not send recorded data, only current status information. The status information revealed that the computer had not switched to the usual daily ‘sleep’ mode when planned. Diagnostic work in a testing simulation at JPL indicates the situation involved corrupted memory at an A-side memory location used for addressing memory files.”

A detailed story at CNET quoted Curiosity Project Manager Richard Cook as telling CBS News that, “We were in a state where the software was partially working and partially not, and we wanted to switch from that state to a pristine version of the software running on a pristine set of hardware.”

The project team thinks that space radiation, while a remote possibility, may in fact be to blame, CNET said. Again quoting Cook:

“In general, there are lots of layers of protection, the memory is self correcting and the software is supposed to be tolerant to it…But what we are theorizing happened is that we got what's called a double bit error, where you get an uncorrectable memory error in a particularly sensitive place, which is where the directory for the whole memory was sitting…So you essentially lost knowledge of where everything was. Again, software is supposed to be tolerant of that...But it looks like there was potentially a problem where software kind of got into a confused state where parts of the software were working fine but other parts of software were kind of waiting on the memory to do something...and the hardware was confused as to where things were.”

Cook indicated that, in essence, a reboot of the inactive computer should clear things up, but that the team will do a lot of analysis before that happens to make sure that there isn’t anything more troublesome lurking about.

Read More

This Week in Cybercrime: Stuxnet Two Years Older Than Previously Believed

Stuxnet’s Development Program Was a Long Thought-Out Process

On Tuesday, researchers from Symantec’s Security Response team released a report offering proof that the Stuxnet worm that targeted industrial facilities in Iran—most especially the Natanz uranium enrichment facility suspected to be part an Iranian effort to produce nuclear weapons— is two years older than previously thought. The 18-page report reveals that development of the malware dates back to 2005, although it first appeared in the wild in 2007. It wasn’t identified until July 2010. What explains the two-year lead time? An extended refinement process was probably part of what made Stuxnet and its precursor, Flame, so sophisticated. The exploits these bits of malware pulled off without attracting attention were "nothing short of amazing," Mikko H. Hypponen, chief research officer for F-Secure, a security firm in Helsinki, Finland, told IEEE Spectrum. Furthermore, says Hypponen, "You need a supercomputer and loads of scientists to do this." Symantec acknowledges that Stuxnet, which was designed to “take snapshots of the normal running state of the system, replay normal operating values during an attack so that the operators are unaware that the system is not operating normally... [and] prevent modification to the [compromised system] in case the operator tries to change any settings during the course of an attack cycle” is among the most complicated coding ever seen.

For more on how Stuxnet really worked and on the efforts to track it down, see "The Real Story of Stuxnet" in this month's issue of IEEE Spectrum.

Advanced Malware Escapes Sandbox with Help from Twitter

New malware designed to steal sensitive information exploits a patched sandbox-bypass vulnerability in Adobe Reader. The malicious code, dubbed MiniDuke by the researchers at Kaspersky Lab and CrySyS Lab, who discovered it and released a report about it this week, has attacked the systems of government agencies in 23 countries, mostly in Europe. Among its novel features are the use of steganography to hide the code it uses to create, then slip in and out of backdoors in the compromised systems; the ability to assess whether a computer is in use; and the ability to determine what detection capability the machine has. MiniDuke can also reach out to Twitter accounts created by the attackers to access tweets seeded with information pointing to command and control servers offering continually updated commands and encrypted backdoors. MiniDuke successfully bypassed the sandbox protection in Adobe Reader despite a patch meant to cover the vulnerability added on 20 February.

Read More

West Virginia Taken to the Cleaners by Cisco

There was a great story over at Ars Technica this week regarding a recently published special audit report (pdf) by West Virginia’s Legislative Auditor regarding the state’s purchase three years ago of 1164 Cisco model 3945 routers at a price of US $24 million using federal stimulus funds (a tip of the hat to a Risk Factor reader for bringing this to our attention in a comment to a recent post).  The auditor concluded that not only did the purchase bypass the state’s competitive purchasing rules for IT equipment; the state bought far more capability than it would ever need now or in the foreseeable future, and at non-competitive prices to boot. 

The audit report, for example, gives as an example the “city of Clay in Clay County [which] received 7 total routers to serve a population of 491. Five of these routers are located within .44 miles of the each other.” The cost of those seven servers—each of which can support 200 simultaneous users—was around $20 000 apiece.

The auditor noted that over $6.6 million was spent on Cisco model 3945 router features that weren’t necessary to begin with. Furthermore, if the state had actually purchased the correctly sized routers, it could have saved at least another $8 million or so. I say at least, because that number is based on router prices quoted in a non-competitive bidding environment—holding a competition that included other router manufacturers (Alcatel-Lucent, Brocade, HP, Juniper, et al.) would have likely saved even more money. For each $5 million saved on routers, the state could have purchased 104 additional miles of needed broadband fiber, the auditor noted.

I name those manufacturers specifically because the West Virginia audit report points to “California State University, the largest four-year university in America, [which] used a competitive bidding purchase to purchase an eight-year refreshing of its 23-campus 10G network. The Director of Cyber Infrastructure of California State University provided documentation showing that Alcatel-Lucent won the project with a bid of $22 million. Cisco’s bid was $122.8 million. The other bids were Brocade at $24 million, Juniper at $31.6 million, and HP at $41 million. Furthermore in May of 2011, Purdue University bid out replacement components for its Hansen Computer Cluster. Cisco won the Purdue University competitive bid process by offering a 76 percent discount off the cost of its products.”

Why did this wasteful fiasco happen? The audit report basically says no one really knows for certain—or at least is willing to 'fess up to being the party who screwed up: stuff just sort of happened.  The best that can be determined was that those receiving the federal stimulus funds wanted to spend as much of them as fast as possible, need be damned. Or in the auditor’s words, “Those making the decisions on how to spend the money did not consult individuals with technical knowledge on the best methods to utilize the funds.”

Read More

IT Hiccups of the Week: At least 17.4 Million U.S. Medication Errors Avoided by Hospital Computerized Provider Order Entry Systems

This past week has seen a hodgepodge of IT-related uff das, glitches and snarls. However, we are going to start this week off with millions of human errors avoided by IT.

Computerized Provider Order Entry Systems Avoid an Estimated 17.4 Million Medication Errors Per Year

Last week, the Journal of the American Medical Informatics Association (JAMIA) published a study that estimated the reduction in medication errors in U.S. hospitals that could reasonably be attributed to their computerized provider order entry (CPOE) systems.  The study’s authors said that they “conducted a systematic literature review and applied random-effects meta-analytic techniques” to develop a “pooled estimate” of the effects of CPOEs on medication errors.

They then took this estimate and combined it “with data from the 2006 American Society of Health-System Pharmacists Annual Survey, the 2007 American Hospital Association Annual Survey, and the latter's 2008 Electronic Health Record Adoption Database supplement to estimate the percentage and absolute reduction in medication errors attributable to CPOE.”

Working through the data, the authors concluded that a CPOE system decreases the likelihood of error by about 48 percent . "Given this effect size," say the authors, "and the degree of CPOE adoption and use in hospitals in 2008, we estimate a 12.5% reduction in medication errors, or ∼17.4 million medication errors averted in the USA in 1 year.”

The study authors are careful to note that it is unclear whether this reduction in medication error actually “translates into reduced harm for patients,” although the research tends to lead one towards that conclusion.

The number of medication errors avoided because of CPOEs is expected to rise as more hospitals install them. Only about 20 percent of U.S. hospitals had deployed CPOE systems as of the middle of 2012.

Read More

Déjà Vu All Over Again: California’s DMV IT Project Cancelled

The Golden State's Department of Motor Vehicles (DMV) must think it has checked into an IT version of Hotel California, where once a DMV modernization project is started, it can never ever finish it.

Last week, on behalf of DMV's management, California’s CIO informed state legislators that it had decided to cancel at the end of January the remainder of its US $208 million, 6-year IT modernization project with Hewlett-Packard, which was supposed to be completed in May of this year. As reported in the LA Times, after spending some $134 million ($50 million on HP) and having “significant concerns with the lack of progress,” the DMV decided to call it quits and do a rethink of the program’s direction. HP had apparently saw the handwriting on the wall. Its contract ended last November, and HP refused to hire key staff until the contract was renegotiated.

The DMV IT modernization program was started in 2006 in the wake of a previous DMV project failure (called Info/California) that blew through $44 million between its start in 1987 and cancellation in 1994. That “hopeless failure,” as it was then described, was supposed to be a 5-year, $28 million effort; when it was terminated seven years in, the project’s cost to complete had skyrocketed to an estimated $201 million with an uncertain finish date. A 1994 LA Times story reported that an assessment found the DMV had limited experience in computer technology, grossly underestimated the project’s scope and size, and lacked consistent and sustained management. The project's failure also sparked a full legislative probe.

The current DMV debacle, along with this month’s termination of the MyCalPay’s project, has spurred calls for yet another probe. Legislators could save a lot of time and money by just cutting and pasting from the the earlier project's investigation. I'm sure they'll find a lot of the same inexperience, underestimating, and inconsistent management.

Not all was lost in the current effort: at least a new system for issuing California drivers’ licenses was rolled out. However, the critical vehicle registration portion of the DMV system, with its decades-old “dangerously antiquated technology” (pdf), will have to stay in use while a new go-forward plan is developed.

Read More

Most Commented Posts

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 

Newsletter Sign Up

Sign up for the ComputerWise newsletter and get biweekly news and analysis on software, systems, and IT delivered directly to your inbox.

Advertisement
Advertisement
Load More