Risk Factor iconRisk Factor

Practice Safe Computing - Or Else

There is a report in the London Times that says UK banks are likely to start getting tough on customers who fall for phishing attacks. New rules to the Banking Code (these cover how banks must treat their customers) that came into effect last month state that â''victims of online fraud must have up-to-date antivirus and antispyware software installed, plus a personal firewall, to claim redress from their banks,â'' the Times story says.

If a person fails to have the required safeguards in place, the banks can refuse any claim for a refund.

The onus is on the individual to prove that they have these safeguards in place at the time of the hack. I see a small boon to an enterprising company that develops a software program to keep a log of the total state of the security profile of a person's computer. The company could even suggest, for a small additional fee, to keep the log on its central system to prove to the banks that the profile wasn't tampered with in any way.

There is a problem, of course, in that a person's personal information may have been hacked months before it was used in an attack, but that is another story.

At least one of my banks has a similar "redress" policy. This bank makes it very clear every time you sign on that protection of the information that allows access to my accounts through its website is my responsibility, and that the bank will not be liable in any way if that information is used by an unauthorized third party due to my negligence.

How I can prove that some future unauthorized access wasnâ''t due to my negligence is not spelled out in any way (What, do I have to get the hackers to tell the bank where and how they got my information?), so I have started to stay away accessing my bank account information through this bankâ''s website. I suspect some bank customers in the UK faced with a similar dilemma may decide to do the same.

UK banks, like those in the US, want their customers to do more on-line banking to reduce their personnel and other overhead costs - I am going to be interested in seeing what happens if the banks start refusing to pay refund claims from hacked (off) customers.

Heathrow Terminal 5 Better But Still Has Problems


Last week, it was reported that London Heathrow's Terminal 5 problems have greatly abated, but they haven't gone away, and may flare up again. British Airways (BA) Chief Executive Willie Walsh admitted at a conference at London's Institute of Directors that the baggage system was still not working properly.

BA ended the first quarter of 2008 with the most lost bags of any European airline (270,106 bags). BA lost 28.9 bags per 1,000 passengers, up from 22.4 bags per 1,000 passengers in the last quarter of 2007. The odds given for losing a bag on BA was said to be 1 in 34.

Walsh blamed the problems on Terminal 5's disastrous opening and the crash of its Boeing 777 at Heathrow in January. He also said another reason was because BA took baggage handlers from its other Heathrow Terminals (1, 3 and 4) over to Terminal 5 to train on the new baggage system there: "Staffing levels were lower than usual in Terminals 1, 3 and 4 because we were running test and training operations in Terminal 5."

In that case, the total number of lost bags attributed to Terminal 5 should be both the ones lost both during the chaotic opening, and those lost due to staff training. It's also too bad Walsh didn't tell all BA passengers that their bags were at higher risk of being lost during that training period, which started the previous September.

The problems of lost baggage has gotten so acute not only for BA but for other European airlines as well that the Association of European Airlines announced that it would be providing lost baggage statistics only on a half-yearly basis, not quarterly as it has always done before. It claims that this isn't to hide embarrassing bad news, but that people (i.e., the press) were giving too much significance to the numbers.


Livermore Lightbulb is 107


It isn't an IT story, but I came across this article in the LA Times today about a light bulb in a Livermore, California firehouse station that is still working after 107 years. According to the story the light bulb has been on for almost 1 million hours, and the firemen dare not turn it off because they are afraid it won't come back on.

You can see the light bulb for yourself at www.centennialbulb.org.

I do wonder, though, how many software programs will still be running after a hundred years. Maybe some of the COBOL programs at the Social Security Administration?

Robo-Squirrel Tries to Gain Acceptance With Locals


There was an interesting little Associated Press story over the weekend about researchers at Hampshire College in Amherst, Massachusetts using a robot squirrel named appropriately "Rocky" to help "decode squirrels' communication techniques, social cues and survival instincts."

The researchers use a computer and a set of binoculars to control the home-made robotic squirrel as it infiltrates the local gray squirrel population. The squirrel is equipped with appropriate squirrel sound recordings to "speak" to the other squirrels in attempts to get their attention.

The researchers are trying to figure out whether squirrels "react more strongly to Rocky's noises or movements or a combination."

The story also mentions the use of fake lizards and sage grouse by researchers to gain more insights into animal behaviors.

What I would really like is a robo-hawk or owl to help keep the hyper-active squirrels around my house who think it is their house away.

Italy Posts All Taxpayer Income on the Web

In a move it said was a "simple matter of transparency and democracy," the Italian Revenue Agency on Wednesday posted without warning the details of the total revenue, income tax paid and other personal information of Italian citizens in 2005, including those of politicians, soccer players and TV personalities. The move was to an attempt to expose tax evasion by Premier Romano Prodi's outgoing government. According to an Italian government report from 2007, the amount of unpaid tax in the country is equivalent to 7% of gross domestic product.

Within hours, Italy's Privacy Authority ordered the tax agency to suspend the posting, saying it presented "clear and serious problems" under the country's privacy rules. However, before the information was removed from the web, much of the information had already been captured and circulated via peer-to-peer file sharing websites.

The Italian tax payers' association is advising people to download forms from its website to help them claim 500 euros in damages each from the tax authority.

Think of the firestorm if something like that happened in the US.

DNA Non-discrimination Bill Passes


The US House approved by a vote of 414-to-1 the Genetic Information Nondiscrimination Act prohibiting discrimination by health insurers and employers based on a person's DNA. President Bush said he would sign it.

According to the New York Times, "the legislation prohibits health insurance companies from using genetic information to deny benefits or raise premiums for individual policies. (It is already illegal to exclude individuals from a group plan because of their genetic profile.) Employers who use genetic information to make decisions about hiring, firing or compensation could be fined as much as $300,000 for each violation."

The Times story also has some words of warning, as well: "The health insurance measure would not go into effect until a year after it becomes law, and the employment measure would take effect only after 18 months. Even then, there may be reason to be cautious. The bill may be hard to enforce, some experts say, and it does not address discrimination by long-term care insurers or life insurers."

It also notes another interesting implication, however: "For health insurers, the bill may avert the need to compete in a complex game of calibrating policies to an ever-changing set of genetic risk probabilities. But as genetic tests provide ever more information at lower costs, the entire notion of insuring against unknown risk that has long defined the industry may be upended."

It will be interesting to see how electronic health records, DNA information recorded within them, and the data mining of millions of health records come into play over the next two decades in regards to the future of medical insurance.

Mortgage Data Disclosed


The Washington Post said that LendingTree, an online mortgage broker with more than 20 million customers announced this week a privacy breach that exposed personal data such as income and job information on an undisclosed number of users to five Southern California home loan lenders. LendingTree generates leads for lenders who pay for information about prospective borrowers.

According to the Post, LendingTree â''notified customers by letter last week that 'several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders.' â''

â''Based on our investigation, we understand that these mortgage lenders used the password to access LendingTree's customer loan request forms, normally available only to LendingTree-approved lenders, to market loans to those customers.â''

LendingTreeâ''s loan request forms contained data such as name, address, e-mail address, telephone number and Social Security number. The loan forms were from October 2006 through early 2008, the letter said.

LendingTree said it did not believe any identity theft or fraudulent financial activity resulted but suggested that customers who were notified obtain a free credit report.

Hannaford Tightens Credit Card Security


Supermarket chain Hannaford, which got hacked last December up until March of this year, has announced that it has increased the security of its credit cards. According to the Boston Globe, Hannaford "has started encrypting card numbers from the moment they are swiped at checkout counters. And it has tapped IBM to monitor security for its computer network around the clock.â''

Hannafordâ''s CIO Bill Homa said that while the company had been compliant with the credit card industryâ''s Payment Card Industry Data Security Standard (PCI), â''the standards were written mainly to secure data stored on retailers' internal computers and didn't anticipate that hackers might be able to intercept credit card numbers as they were transmitted to card processors for authorization.â''

Homa said one problem his company faced was that it was â''at the mercyâ'' of software vendors to provide updated security improvements. Hannaford, he said, wanted to put new security measures in sooner, but was forced to wait on its vendors.

Hannaford still does know if it was an intruder or an insider who was responsible for the breach. The investigation is continuing.

High Costs of Satellites Impeding Future Communications?


A report in the London Times says that the high cost of satellite launches are making communication companies "flinch" at investing in new satellites. New, larger satellites are required to handle the increasing volume of mobile traffic especially in Asia and India.

The report says that the new generation of communication satellites (which cost $650 million and up) weigh up to 8 tons, and only the Ariane 5 rocket is currently commercially available to carry the satellites up into high orbit. With a virtual stranglehold on the market, Ariane is demanding $120 million per launch.

There is concern that the high launch and development costs will begin to slow down the introduction of new or upgraded communication services. Satellite makers like at least two launch suppliers, and until there is a competitor to Ariane, they are reluctant to move ahead.

As explained in the report by Jean-Marie Robert, the head of telecom satellites at Thales Alenia Space, â''The way this industry works is that we build the satellite and the buyer then chooses the launcher they want based on price and reliability. But we need at least two launchers to have a competitive industry and to avoid expensive launches."

The high costs involved may also force space insurance rates to rise, further increasing the reluctance of communication companies to send up new satellites. Insurance costs have been rising, and the recent loss of the $150 million AMC -14 satellite which was to deliver television services to the US won't help.

2 Million University of Miami Patient Records Stolen

Last week, the University of Miami acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility, according to an article in ComputerWorld.

The tapes were stolen on 17 March, but it took until the 17th of April before the University posted an alert about the theft. In the post, the University said that it, "... determined it would be unlikely that a thief would be able to access the back-up tapes because of the complex and proprietary format in which they were written."

Furthermore, the University said, "Anyone who has been a patient of a University of Miami physician or visited a UM facility since January 1, 1999, is likely included on the tapes. The data included names, addresses, Social Security numbers, or health information. The University will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment."

As far as I can tell, I guess we can now ring the bell.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More