Risk Factor iconRisk Factor

This Week in Cybercrime: Cybercrime’s Industrial Revolution

Cybercrooks: Captains of Industry?

The idea that cybercrimes are the work of miscreants or gangs of hackers picking targets at random is outmoded. Analysts now see a mature industry with an underground economy based on the development and distribution of ever more sophisticated tools for theft or wreaking havoc. That is the takeaway from a report released on Wednesday by researchers at 41st Parameter, a maker of device recognition and intelligence solutions.

According to the report,

Cybercrime is on the rise: large-scale fraud attacks, consumer data breaches, and politically-motivated Distrbuted Denial of Service (DDoS) attacks on financial institutions and others are costing businesses billions of dollars every year…Much of this growth stems from the maturation of the criminal digital underground and its 'industrial' approach to cybercrime.

Of the trends in cybercrime identified by 41st Parameter, a Network World article about the research summarizes the top five as: data breaches, which the report calls “the fuel that drives the industrial fraud complex,” becoming an inevitability even for large businesses; smartphone hacking, driven by the new business opportunity presented by the 700 million smartphones sold in 2012 alone; better cloaking techniques that allow malware to keep itself hidden from human users and antivirus scans; and automation of cybercrime, which allows crooks to multiply their efforts. “Automation allows fraudsters to trade a large number of smaller transactions for fewer, larger transactions,” says the Network World article. “This makes anomaly detection systems less effective while introducing greater requirements to identify, document and reset compromised accounts.”

Read More

How Often are EHRs Placing Patients at Risk?

This week, Bloomberg News published a special report examining the shift of US healthcare to electronic health records, and in particular, the questions hospitals, doctors and patients are asking about the “problems and potential harm arising from these new computerized systems.”  One story in particular provides an overview of a number of the safety issues being encountered, which include everything from medical data seemingly disappearing from EHRs to user interface issues. Not surprisingly, the Bloomberg article reports that the “most dangerous time for patients appears to be immediately after a facility installs” a new EHR system because of staff learning curve issues as well as the myriad of operational system fixes that always need to be made to get the EHR system to work reliably and correctly.

Jodi Daniel, director of policy and planning for the Office of the National Coordinator for Health Information Technology, which coordinates the U.S. effort to implement and use EHR systems, seemed to downplay the patient safety concerns the article raised. Daniel told Bloomberg News that, “So far, the evidence we have doesn’t suggest that health information technology is a significant factor in safety events.”

That’s a very interesting statement for Daniel to make considering that a 2011 Institute of Medicine report, and another report published this week by the American College of Emergency Physicians, state there isn't sufficient evidence for anyone to reach such a conclusion!

Read More

IT Hiccups of the Week: Southwest Airlines Computer Failure Grounded All Flights

It was a slow week in the land of IT-related “ooftas.” We start off with one that could have been much worse if the timing had been different.

Southwest Airlines Computer Failure Cancels 57 Flights, Grounds Another 250

Last Friday night at about 8 p.m. PDT, Southwest Airlines, the largest U.S. domestic carrier, with 3400 flights daily, experienced a system-wide computer failure that grounded the airline’s entire fleet not already in the air, the AP reported. Full service was restored by 11 p.m. PDT, but not before the airline had to cancel 43 flights (originally reported as 50) and delay about 250 others mostly west of the Mississippi River. Flights in Minneapolis, Chicago, Phoenix, Denver and San Diego were said to be affected. The airline also had to cancel another 17 flights early Saturday morning because crews and equipment were in the wrong place.

The computer failure, a Southwest spokesperson told the AP, “impaired the airline's ability to do such things as conduct check-ins, print boarding passes and monitor the weight of each aircraft.” Planes on the taxiways were recalled to the terminals although planes in flight were unaffected. The airline was able to get its back-up system operational, although the system's performance was said to be “sluggish.” Southwest got its primary system back up and operating normally by early Saturday, but the airline indicated it still wasn’t exactly sure of the source of the problem.

Southwest said it “sincerely apologized” for the “airport technology issue.” Luckily, the failure hit late on a Friday night, instead of first thing Monday morning. Southwest also seemed to do a good job in being able to get its customers who were scheduled to be aboard the canceled flights rebooked: there was little grousing in the press from disgruntled Southwest passengers.

As you may remember, American Airlines had to cancel 970 flights and delay another 1068 when a computer problem hit mid-morning on a Tuesday and lasted for only 90 minutes more than Southwest’s snafu. However, American's problem—whose cause has, to my knowledge, never been disclosed—affected its back-up system as well.

American Airlines, along with United, had another computer-related system problem last Wednesday, but it was localized to Philadelphia International Airport. The AP reported that an airport spokesperson said there was a “connectivity issue” that “started early Wednesday morning in a computer system at a ticketing counter. It caused problems for several hours before the issue was resolved by 9 a.m.” CBS News, on the other hand, reported that United Airlines said the problem, which took out their computer systems and phones, was a power outage that began at about 4:45 a.m.

Regardless of the true cause, the problem caused United to cancel six flights and delay several others. American delayed flights, but reportedly did not cancel any.

No other airline at the airport reported having any problems.

Utah and Colorado Motor Vehicle Systems Have Problems

Last week saw the motor vehicle systems in both Utah and Colorado suffer outages. Last Tuesday, the Salt Lake Tribune reported that a “database error” crashed the state’s drivers license records system. The Tribune stated that the incident was the result of “a code-reading error involving a daily transfer of motor vehicle records from the state Tax Commission to a DPS [Department of Public Safety] database.”

The Utah DPS was able to get its back-up system working, which allowed the state’s law enforcement officers limited access to records, but all processing of license applications and renewals came to a halt. The system was fixed by late Tuesday night, and normal operations resumed by Wednesday morning.

On Saturday, Colorado's lone state motor vehicle office open on weekends was “unable to provide new vehicle registrations, renewals or title work” because of a crash of the Colorado State Motor Vehicle system, the Colorado Springs Gazette reported. The office, located in Colorado Springs, was still “able to address drivers licenses, recording and elections,” the paper said.  A news release at the state’s website seemingly blamed the problem on a network issue. A network problem affected motor vehicle offices across the state last month as well. The state said it appreciated everyone’s patience and apologized for the inconvenience.

1900 New York City High School Graduates Receive Post-it Note Diplomas

Some 57 000 New York City high school seniors graduated last week. For an unlucky 1900 or so, instead of receiving high school diplomas as they accepted congratulations from their principals, they each received a Post-it Note with their “name scrawled in Sharpie,” the New York Times reported. The reason for the less than thrilling recognition of achievement was because of an error at McGraw-Hill, the company that was in charge of scanning in the results of state’s Regents exams.

There is a bit of a backstory here that needs explanation. As the Times story described, for this school year, New York City school officials placed into effect a new Regents exam grading approach. In the past, officials felt teachers were grading their own students’ exams too easily, so they decided that the completed exams should be scanned and sent randomly to other teachers in the city to grade.

However, the company responsible for the exam scanning, McGraw-Hill Education in Connecticut, had what it called “intermittent slowdowns” which delayed the return of the exams to teachers be graded. The Times said the scanning system “broke down.”

New York City was forced to hire extra teachers over this past weekend to try to complete all the exam grading before school ends on Wednesday of this week. The New York Daily News says that McGraw-Hill will have to pick up the $42 an hour tab the extra teachers are going to be paid.

New York City Comptroller John Liu, who is running for mayor, wants McGraw-Hill to pay back the US $3 million the city spent on the scanning contract with the company. Liu is said by the Times to be considering an audit of the contract. In a related story, the state of Indiana announced on Friday that it plans to sue McGraw-Hill for its problems with administering standardized tests in that state. The announcement came on the same day company President Ellen Haley was apologizing to the state legislature for them.

An apology to New York City’s graduating seniors didn’t seem to be forthcoming from the city’s Education Department. A spokesperson there tried to minimize the issue by telling the Times that the department had expected some “bumps” and that “the problem affected fewer than 3 percent of the roughly 57,000 seniors”, and anyway, “each year there was a relatively small number of students who received their scores, and their diplomas, after graduation ceremonies.”

In other words, those graduating seniors who didn’t get their diplomas on time should quit griping and just be happy admiring the framed graduation Post-it Notes adorning their living room walls.

Also of interest…

“Technical Flaw” Exposed 6 million Facebook Users’ Phone Numbers and Email Addresses

Industrial and Commercial Bank of China System Upgrade Goes Awry

“Obama/Black” Color Listing a Computer Error Urban Outfitters Say

Photo: Karen Bleier/AFP/Getty Images

Three Guilty Pleas in NYC's CityTime Payroll System Fraud Case

On Wednesday, Manhattan U.S. Attorney Preet Bharara announced that three defendants in its New York City's CityTime payroll system fraud case had decided to change their pleas to guilty. The three women—all related to Mark Mazer, a former city consultant who is charged with being one of the four central figures in the fraud—are: Svetlana Mazer, his wife; Larisa Medzon, his mother; and Anna Makovetskaya, a cousin.

As a quick recap, the CityTime project involved the development of a secure, Web-based time and attendance system for 80 mayoral and other city agencies. The original estimated project cost was some US $63 million, but CityTime ended up "costing" the Big Apple $720 million by the time it became fully operational in 2011. SAIC was the CityTime prime contractor, but it had shopped out much of the work (some $400 million worth) to Technodyne, LLC, a company owned by Padma and Reddy Allen.

An audit in early 2010 by New York City Comptroller Jon Liuthe first formal review of the project in 12 years, despite warnings as far back as 2003 that something wasn’t right with the management of the project —uncovered numerous contracting irregularities. In late 2010, federal charges were brought against SAIC employees and subcontractors involved in CityTime. At the time, the government believed the amount of fraud involved totaled about $80 million.

However, in 2011, Bharara announced that “...virtually all of the $600 million that the City paid SAIC for CityTime was tainted, directly or indirectly, by fraud.” More defendants and criminal charges were added (pdf) to the list of criminal complaints.  Bharara also announced in the complaint that SAIC’s Chief Systems Engineer on the project, Carl Bell, pleaded guilty to taking $5 million in kickbacks on the project.

In 2012, SAIC agreed as part of a deferred prosecution agreement to “forfeit a total of $500 392 977 to the Department of Justice, and forgive more than $40 million still owed by the City to SAIC in connection with the CityTime project.” SAIC also agreed to retain an independent monitor to ensure the company and its personnel followed its stated compliance and ethics policies. However, as I noted at the time, SAIC tried to put a pretty positive spin on its having to shell out $500 million to avoid prosecution for its part in the fraud. The company made out that it had been “victimized” and that it had, in fact, delivered a “world class workforce management system for New York City.”

Getting back to the three new CityTime criminals, not only did they agree to plead guilty, but they agreed to forfeit $31 million in cash and property. Reuters reported that each of the three were originally charged with “a count of money laundering conspiracy in connection with helping Mark Mazer conceal $25 million in kickbacks he received.” However, they agreed to plead guilty to lesser charges of obstructing justice by making false statements to a bank, and to serve sentences ranging from 10 to 30 months in jail. They could have faced 5 to 20 years in prison if they had proceeded to trial and been found guilty on the original charge.

Reuters also states that, “Despite so many members of his family pleading guilty, Mark Mazer is not in plea talks and continues to plan to fight the charges, said Gerald Shargel, his lawyer.”

“‘The guilty pleas have no impact whatsoever on our case,’ Shargel said. ‘Our position has been and remains the City of New York was not defrauded. The City of New York got exactly what it paid for.’“

Hmmm... Sounds just like what SAIC—and Mayor Michael Bloomberg—have claimed. In fact, observers are betting that the defense strategy will be something to the effect of, "Since there is a working, “world class” CityTime payroll system, no fraud was committed. Costly, maybe; but fraudulent, definitely not.

Interestingly, a story in yesterday’s New York Times indicates that the three women still believe Mark Mazer is innocent as well.  

His guilt or innocence will be determined beginning 30 September, when he and Gerald Denault (pdf), SAIC’s Program Manager for the CityTime project, go to trial. Technodyne owners Padma and Reddy Allen, the other main defendants accused in the fraud scheme, fled back to their native India in early 2011 with at least $39 million. Their whereabouts are unknown, except maybe to the NSA.


Photo: Charles O’Rear/Corbis

Does the NSA Really Need “Direct Access”?

Protesting the Program: Activists gathered in Washington D.C. on June 14th to rally against U.S government surveillance programs.

We’re now well into the second stage of the controversy surrounding the allegations that the NSA is conducting large-scale surveillance of U.S. citizens. Whistleblower/leaker/traitor (the exact term varying according to individual opinion.) Edward Snowden is being scrutinized, as are the articles written by Glenn Greenwald for The Guardian newspaper.

That Snowden’s perceived reliability, or lack thereof, has become a major part of the story is an entirely predictable consequence of his decision to reveal his identity. Back in 2004, Dina Rasor, then working under the auspices of the National Whistleblower Center in Washington D.C., told IEEE Spectrum that going public in this way was like “setting your hair on fire for one glorious minute.” Whistleblowers were well advised to remain anonymous so that the revelation “becomes the issue, and not you.” (As has been pointed out in several places, if we’d known that Deep Throat was an FBI director angry at being passed over for promotion, his accusations about Watergate might not have been taken so seriously.)

That the focus of the discussion has also shifted to Greenwald’s reporting is also not surprising in the light of that 2004 article. IEEE Fellow Stephen H. Unger, a former chairman of the IEEE Ethics Committee cautioned against the dangers of hastiness, or making the slightest factual error, when bringing any revelations to light: “Don't exaggerate at all… You could be 99 percent right, but if you make one little mistake, they'll focus on that to discredit you.”

The biggest substantive criticisms of Greenwald’s reporting so far have centered on his contention that companies like Google and Apple provided “direct access,” so that the NSA could come in and snoop around however they liked, grabbing information in real time if need be.

Read More

IT Hiccups of the Week: 911 Systems Need Emergency Help

This week, the U.S. National Emergency Number Association (NENA) holds its annual conference to discuss 911 policy, technology, operations, and related education issues. I would guess that high on the list of informal conversations among conference attendees will be the increasing controversy engulfing New York City’s new 911 dispatch system, as well as the problems that several other cities and towns recently have reported with their own emergency management systems.

Heated Arguments Over Whether New York City 911 System Contributed to Young Girl’s Death

It is a situation reminiscent of the disastrous London Ambulance Service dispatch system meltdown in 1992 that was blamed for contributing to the deaths of up to 20 or more persons waiting for ambulances that arrived horribly late.

About two weeks ago, four-year-old Ariel Russo was walking to school with her grandmother in New York City’s Upper West Side when they were struck by a car driven by an unlicensed 17-year-old trying to elude the police. According to the New York Daily News, it took “an unusually long 4 minutes and 18 seconds from the time of the first request for an ambulance from police at the scene to a 911 operator, until the time an ambulance was finally dispatched. Once FDNY and EMS dispatchers received and acknowledged the transmission, it took 3 minutes and 52 seconds to dispatch an ambulance and for it to arrive at the scene.”

Ms. Russo was said to still be alive after the crash, but in cardiac arrest; she died on the way to the hospital. It is unclear whether the time delay made a difference in whether she would have survived or not. The grandmother survived, but suffered a broken back and leg.

The FDNY admitted that it shouldn’t have taken four minutes to dispatch an ambulance, but it placed the blame squarely on “human error,” claiming that, “An EMS dispatcher apparently got up from his desk at some point for several minutes and missed the transmission for an ambulance that had been sent by the NYPD operator on a relay. We’ve interviewed the dispatcher and he’s admitted he missed it.”

However, that explanation was immediately challenged on a couple of counts. For one, it was a female dispatcher who supposedly took the call.  We say supposedly because the dispatcher, a 23-year veteran, claimed that the call never crossed her screen before she got up to take her scheduled break and was replaced by another dispatcher. In addition, the call was supposed to be displayed not only that dispatcher’s display, but all of the other 39 dispatchers’ screens as well as on a “giant, wall-mounted screen,” the Daily News reported in a follow-on story. Why didn't any of the other dispatchers say they saw the call, the Daily News asked.

Read More

This Week in Cybercrime: FDA Urges Tighter Cybersecurity for Medical Devices

First: Do No Harm. Second: Keep Others From Doing It.

In the wake of discoveries that some medical devices are vulnerable to remote tampering via the Internet, the U.S. Food and Drug Administration (FDA) issued new guidelines this week that are meant to direct medical device manufacturers in beefing up security. The hope is that we'll never have to read about—or worse, personally experience—death or injury because some malware-infected gadget didn't work the way it should.

The FDA recommendations call for device makers to review their cybersecurity practices and test their products with an eye toward ensuring that their authentication setups can limit access to authorized users only. The guidelines also urge health care facilities to be more vigilant in updating their antivirus software, to set stricter controls on who accesses their networks, and to cooperate with device makers to investigate and fix security breaches.

The FDA says that although no deaths or injuries associated with these vulnerabilities or malfunctions have been reported, the rise in cybercrime makes such an outcome “increasingly likely.” The guidelines, though not legally enforceable, put device makers and medical facilities on notice that they need to step up their efforts to keep diagnostic machines from being taken over by attackers, prevent pacemakers from being reset so that they deliver fatal shocks, and to keep insulin pumps from being tampered with.

The FDA action was prompted by the U.S. Government Accountability Office, which asked it to “develop and implement a plan expanding its focus on information security risks.” It’s about time. Just imagine someone undergoing a surgical procedure where an advanced robot is doing the cutting as proxy for a surgeon in another part of the world. Malware in the system that controls a mechanical arm—or a man-in-the-middle-attack—could be deadly. And even banal mash-ups of technology and medicine could put patients at risk. Computerized drug dispensaries, meant to keep people from receiving the wrong prescription or the wrong dose, could be targets.

Read More

BBC IT Project Fiasco Snares New York Times CEO

A few weeks ago, I wrote about the BBC blowing £98.4 million (about US $150 million at current exchange rates) on its failed Digital Media Initiative project meant to develop digital production technology that would fundamentally transform how the BBC operated internally. The story gets more and more interesting, and has now leaped across the Atlantic to snare the head of the New York Times in its net.

To quickly recap, the DMI project began in February 2008 with the expectation that the project’s contractor Siemens Information Solutions and Services (SIS) group would have the “transformational” technology ready for operation by May 2009. Siemens, however, consistently missed the project’s schedule from the beginning, and in September 2009, the BBC and Siemens cancelled the contract by mutual agreement.

The BBC then brought the DMI project in-house with a new date for the rollout of DMI’s production technology across the BBC during the summer of 2011. When the National Audit Office, an independent Parliamentary body, took a look at the project’s status in late 2010, BBC management told it that “delivery of the system has progressed well, and users have responded positively” to it. BBC management also convinced BBC Trust's Anthony Fry, a member of the governing body of the BBC, that the “delivery [of the DMI system] was progressing as planned.”

However, progress didn’t go as planned. Users thought it was “clunky” and needed a significant redesign, and by October of last year, the DMI project was suspended pending a review. Last month, the new BBC Director General Tony Hall decided to pull the plug on the project, as it had created, in Trustee Fry’s assessment, “little or no assets.” Lord Hall immediately suspended (with pay) the BBC’s Chief Technology Officer John Linwood, who oversaw the DMI effort, and MP Margaret Hodge, chair of the House of Commons Public Accounts Committee called the cancellation, “a terrible shock and clearly completely shambolic.”

Here's where it gets really interesting.

Read More

Voice-Activated Systems Make Driving Less Safe

A decade ago, I wrote an article about the efforts of automotive technologists to make up for the fact that “we get sleepy while driving at night, do dumb things like put on makeup or shave while creeping along in bumper-to-bumper traffic, or look away from the road to adjust our car radios.” Automakers were introducing safety systems such as adaptive cruise control, which maintains a safe distance between a car and the one ahead of it even if the driver is asleep at the wheel. Advancing just as rapidly along a parallel plane was technology aimed at keeping drivers connected to the world outside the passenger cabin. (To be sure, its unlikely that engineers back then were imagining drivers updating their social media profiles while traveling at highway speeds.)

Some of the innovations—routing mobile phone conversations through a car’s speakers to ensure that a driver could keep both hands on the steering wheel, for one—were specifically intended to combat the inattention to the road that results from looking down at a small screen. But even back then, researchers understood that these improvements, though laudable, were not enough to safely limit the cognitive demands that keep a driver from focusing on the main task—operating heavy machinery.

A new study released today by the AAA’s Foundation for Highway Safety reinforces that understanding. Most alarming is its conclusion that systems designed to allow drivers to dictate e-mail or text messages, or that translate text to speech then read the messages aloud—ostensibly meant to promote safety—actually worsen driver distraction.

This is a big deal when you consider that, according to electronics consulting firm IMS Research, more than half of all new cars will have voice recognition functionality.

Read More

IT Hiccups of the Week: Irish Rail to Riders: Pay Up for Software Screw Up

This past week saw an uptick in the number of IT-related malfunctions, mishaps and mayhem in comparison to the previous few weeks. We start off with a lesson from Irish Rail on how not to endear yourself with your passengers when fixing a software problem.

Irish Rail Gives Scant Warning to Passengers for Belated Billing on Uncharged Trips

Last Friday, Irish Rail announced in a press release on its website that a March 2013 software upgrade to its Ticket Vending Machines (TVMs) didn’t work as planned, resulting in tickets being issued and payments being authorized against payment cards. But unfortunately for the transit authority, the payments weren’t actually deducted from passenger accounts. Over 9000 individual payment cards were affected by the error,  nearly all attached to Maestro Debit cards, Irish Rail said. The incomplete transactions occurred for train tickets purchased between 28 March and 31 May 2013 and came to about €331 000 (US $438 000) in uncollected fares.

Irish Rail also announced in its press release that I am sure all of its riders read on a daily basis that, beginning today, it would begin to collect the monies owed it. There’s nothing like giving your customers a lot of advanced notice.

Naturally, Irish Rail’s decision did not sit well with many of those affected customers, with the spokesperson of Rail Users Ireland logically asking why Irish Rail couldn’t have waited a week at least to allow customers some time to hear about the news, and also let customers ensure that they had enough money in their bank accounts to cover the charges so that they wouldn't become inadvertently overdrawn.

Irish Rail said that it recognized “that processing cumulative payments at one time may cause difficulties for some customers,” and so it set up a somewhat convoluted payment scheme to reduce the pain. However, the railroad also admits that 60 to 70 percent of those owing money will see charges to their bank accounts beginning today.

Irish Rail added in its press release, “We apologies [sic] for any inconvenience this fault causes customers.”

Let’s hope that Irish Rail’s augmented reality app released today doesn’t have similar software issues.

Read More

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More