Risk Factor iconRisk Factor

This Week in Cybercrime: U.S. House Passes Bill Allowing Firms to Share Customer Info With the Government

U.S. House Votes to Immunize Companies Against Privacy Lawsuits

The U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA) on Thursday by a margin of 288 to 127, despite warnings that President Barack Obama would likely veto the controversial bill if passes the Senate and makes it to his desk. The bill, which was reintroduced in February after being voted down last year, would make it impossible for consumers to sue the government or businesses for breaching the consumer's privacy by sharing data with each other.

The legal shield that CISPA provides would cover the entity divulging the information as long as the company or agency says that doing so was part of its effort to help fight cyber threats. During a House floor debate on the measure on Wednesday, Dutch Ruppersberger (D-Md.), one of the bill’s co-authors, focused on dollars and cents, claiming that trade secrets worth US $400 billion to U.S. companies are stolen each year. Opponents of the bill acknowledged the economic toll that cybercrime takes on U.S. businesses and consumers, but argued that the bill, though modified from a version that passed the House last year, still doesn’t, in the words of House Minority leader Nancy Pelosi (D-Calif.), strike a “crucial balance between security and liberty.” Pelosi added that, “Unfortunately, it offers no policies and did not allow any amendments or real solution that upholds Americans' right to privacy.”

A coalition of critics lined up against the bill. Among them was online advocacy group Fight For the Future, whose co-founder, Holmes Wilson, told the UK Guardian that, "It would have been so easy to fix this bill and require sites to strip out personal information before passing them to the government." Kurt Opsahl, senior staff attorney for The Electronic Frontier Foundation, which also came out against CISPA, had urged the House to include an amendment allowing companies to enter into privacy contracts with their customers. The legislators’ decision not to add the change to the bill’s language leaves a “gaping exception to bedrock privacy law,” Opsahl told The Guardian.

Several influential industry groups, including the wireless group CTIA, the U.S. Chamber of Commerce and TechNet, which represents large internet and technology companies, have lobbied for the measure.

Read More

American Airlines Still Recovering from “Software Issue” That Grounded Flights Yesterday

Yesterday, American Airlines and its regional carrier American Eagle were forced to cancel some 970 flights and delay another 1068 after the airlines experienced “intermittent outages” in communicating with its reservation system. The outages effectively shut down the airlines’ operations, stranding passengers and flight crews alike.

The airline, headquartered in Fort Worth, Texas, publicly acknowledged the problem about 11am CDT, and the problem was not fully resolved for another four and a half hours. The reservation system situation caused the airline to request the U.S. Federal Aviation Administration (FAA) to place a ground stop on its aircraft for several hours.

Late yesterday afternoon, American CEO Tom Horton issued an 84-second video statement in which he said, “We experienced a system-wide network outage, causing flight disruptions and inconveniencing many of you. And for that, we are very sorry.”

Horton went on to say, “As you’d imagine, we do have redundancies in our systems, but unfortunately in this case, we had a software issue that impacted both our primary and back-up systems.” 

The airline acknowledged that the "software issue" did not reside with the Sabre Holdings reservation system it (and many other airlines) uses, but with its own IT operations.

American has said that it will accommodate yesterday’s affected travelers. However, the airline also warns that although it has tried to get its aircraft and flight crews where they needed to be this morning, some residual knock-on effects may linger into today.

It was recently announced that when US Airways and American merge later this year to form the world’s largest airline, American Airlines’ legacy systems will be the ones used.

Given yesterday's events and United Airline’s recent experience, the reservation system cut-over period would probably be a good time to stay home or try another airline.

Photo: Max Faulkner/The Fort Worth Star-Telegram/AP Photo

IT Hiccups of the Week: New NHS 111 Helpline Needs to Call 999

It has been an unusually quiet week in regard to IT-related problems. Of greatest significance seems to be the ongoing technical and training issues associated with the new UK National Health Service (NHS) 111 patient helpline service.

NHS 111 Healthcare Helpline in Meltdown Mode?

Earlier this month, the UK National Health Service began its England-wide roll-out of a new helpline service; to access it, NHS patients can simply dial 111. The service is meant to provide one simple number that people can call to get timely and appropriate information about non-life-threatening but still important medical issues—especially after normal business hours. The plan is that a patient calling in will be quickly connected to a trained call-handler who will assess the patient's request for information and then use a directory of medical services available in the caller's area to provide specific advice on which NHS services could best meet his or her healthcare needs. If the call taker assesses that immediate care is required, an ambulance will be summoned. Patients with life-threatening or other urgent medical emergencies are still able to call 999 to get an immediate emergency service response.

The NHS 111 telephone service is replacing NHS Direct, which was started in 1997, and is staffed primarily with NHS nurse advisors. But to reach NHS Direct, the patient has to dial an 0845 number and incur a charge for the call. Calls to the NHS 111 line are free, but the service uses non-clinically trained call takers who are supposed to be supported by a much smaller number of experienced nurses. This change—along with a setup whereby the provider of the NHS 111 service is contracted for and operates locally rather than the service being provided for by the NHS nationally—is seen as a bid to save the NHS money.

Last month's soft roll-out of the 111 service in the London, Manchester, and Birmingham areas went poorly, according to various news outlets. The weekly medical publication Pulse, for instance, reported of doctors warning that “patient care [was] being hampered by the service due to improperly trained staff, a lack of personnel, long waits and out-of-hours GPs having to take on extra work.”  The BBC reported that in the Greater Manchester area, the entire 111 system crashed, which meant that an unknown number of patient calls went unanswered.  

The British Medical Association was so concerned at the scope of the initial problems being experienced that it said, “The Department of Health needs to reconsider immediately its launch of NHS 111 which clearly is not functioning properly. They must ensure that the system is safe for patients before it is rolled out any further.” In response, the NHS said the April rollout, despite the “teething problems,” would go on as planned, but that it would “carry out thorough testing to ensure that those [111] services are reliable.”

Well, in light of news reports last week, it looks like even more 111 system testing is called for.  The London Telegraph reported that there were long delays in responding to patient 111 calls in 30 out of the 37 areas across England where it has been rolled out. In some instances, instead of a patient's call being routed to a central triage center where the medical issue would be prioritized, a vaguely described “system error” caused patient cases to be automatically closed instead.  The Pulse reported that despite the NHS insistence that things were going well with the 111 roll-out, “more than 40% of calls to NHS 111 [over the Easter weekend] were abandoned by patients in some regions [because they couldn’t get through], while elsewhere one patient had to wait more than 11 hours for a call-back.”

The Daily Mail reported, in its usual understated manner, on emergency services workers' complaints about the staff handling the 111 calls. The call takers are so poorly trained, say the ambulance crews, that they have sent ambulances to deal with obvious non-emergency situations,  e.g., an ingrown toenail. In some cases, ambulance crews complained that their workload has doubled since 111 was introduced (researchers last year identified increases in "emergency ambulance incidents" as a possible consequence in an evaluation of four NHS 111 pilot programs (pdf)).  One hospital trust in Kent was even said by the Mail to be so overwhelmed by patients being sent to it via the local NHS 111 service that it had to declare an “internal Major incident,” which usually only happens when there is a major traffic accident, fire, plane crash, or other emergency event that threatens to overwhelm its care-giving capacity.

The NHS 111-related chaos has spurred a Parliamentary review of all emergency services by the House of Commons Health Committee. The review is supposed to be completed by mid-July.

Read More

This Week in Cybercrime: Tax-related ID Thefts Hit 1.8M in 2012

IRS Tax Refund Fraud Epidemic

Monday, April 15, is the deadline for individual income tax returns to be filed. This year, the U.S. Internal Revenue Service is expecting more than 146 million individual tax returns to be sent in, of which some 121 million will be entitled to refunds totaling approximately US $333 billion. However, among those 146 million returns, the IRS is also expecting millions of tax returns to be filed using stolen social security numbers and other personal information in an attempt to fraudulently obtain refunds, Senator Susan Collins (R-ME) said at a Senate Special Committee on Aging hearing earlier this week that looked into tax-related ID theft.

According to Collins, tax-related ID theft has exploded over the past five years. In 2008, the IRS reportedly confirmed “only” 52 000 such cases, compared to the nearly 1.8 million incidents the Treasury Inspector General for Tax Administration said the IRS identified last year. Another 1.5 million tax-ID fraudulent returns apparently slipped through without being caught in 2011 as well, Collins said. The total cost of refund fraud in 2011 was estimated to be as high as $5 billion (which does not include the hundreds of millions of dollars the IRS spent in trying to identify all the tax-related identity theft).

Deputy Commissioner of the IRS Beth Tucker wrote in an editorial in USA Today yesterday that in 2011, the IRS blocked $14 billion in fraudulent refunds, while in 2012 she said $20 billion in fraudulent refunds were blocked. She also stated that already this tax season, 2 million suspicious returns have been blocked (a total of 5 million were blocked in 2012, and 3 million in 2011, but it should be noted that not all of these were ID-theft related).

ID thieves have figured out that if they file fraudulent tax returns early in the tax season, they have a good chance of getting a refund before the IRS is able to discover their scam because the taxpayer information the IRS needs to verify a taxpayer’s earnings and withholdings aren't available until the end of March. In one case, scammers successfully used a single address in Lansing, Michigan to file 2137 fraudulent returns, which netted a total of $3,316,051 in refunds.

Tucker claims that the IRS is making progress in its fight against tax ID-theft and other tax fraud by claiming, “We're also going after the bad guys. We've started 800 criminal investigations since October. And crooks are going to jail for up to 20 years.”

Somehow I don’t think the tens of thousands of tax refund scammers are too worried.

Read More

NTSB: Texting While Flying Contributed to 2011 Helicopter Crash

Yesterday, the U.S. National Transportation Safety Board (NTSB) reviewed the findings of its investigation into the crash of a Eurocopter AS350 B2 helicopter operated by Air Methods Corporation (and doing business under the name LifeNet). On Friday, 26 August 2011, at 1840 CDT the helicopter, which was on an emergency medical services (EMS) mission, crashed following a loss of engine power as a result of fuel exhaustion a mile from Midwest National Air Center (KGPH), Mosby, Mo. The pilot, flight nurse, flight paramedic and patient were fatally injuried.

At yesterday’s NTSB inquiry, the board cited (pdf) as the probable causes of the accident “the pilot's failure to confirm that the helicopter had adequate fuel onboard to complete the mission before making the first departure, his improper decision to continue the mission and make a second departure after he became aware of a critically low fuel level, and his failure to successfully enter an autorotation when the engine lost power due to fuel exhaustion.”

In the preliminary NTSB accident report, the pilot was thought to have successfully entered into autorotation mode before the crash. However, the full NTSB investigation found this not to be the case, and believed that he may have been unsuccessful because of “the lack of practice representative of an actual engine failure at cruise airspeed in the pilot's autorotation training" in the model and make of helicopter being flown. The pilot, the NTSB found, had not received any of his autorotation training in a simulator which, the NTSB stated, would have made him “better prepared” to deal with an emergency situation.

Also contributing to the accident, the NTSB said, were “(1) the pilot's distracted attention due to personal texting during safety-critical ground and flight operations, (2) his degraded performance due to fatigue, [and] (3) the operator's lack of a policy requiring that an operational control center specialist be notified of abnormal fuel situations.”

Read More

IT Hiccups of the Week: Computer Technology Upgrade Sours Small Michigan County

Last week saw a real hodgepodge of IT-related errors. While none of them could be called of major significance, they did serve to exemplify the daily annoyance and exasperation for those experiencing them, as well as the unexpected good fortune that sometimes results.  We start off with a story whose plotline is no doubt experienced with some regularity. This time it is set in Lenawee, Michigan (population 100 000), where a new computer system intended to make life easier and more productive for county employees has instead made it more difficult and highly stressful.

New Computer System “Overwhelms” Lenawee County Employees

Back in December 2011, Michigan’s Lenawee County Commission approved a US $1.45 million technology upgrade for outdated county computer systems and equipment, the Daily Telegram reported at the time. Poor economic conditions caused county tax revenue shortfalls, which in turn forced the county government to reduce its staff, yet the public was still expecting that “the same level of services” be provided. The Commissioners' expectation was that the new computer software and hardware would make county employees not only more productive but help avoid future staff lay-offs. The goal was to have all the system upgrades, which would affect every government Lenawee County agency and department, in place by the end of 2012.

The Daily Telegram reported last July that the upgrade had reached the half-way mark. While the county's IT staff were reported to be “under stress” from having to install the new system as well as maintain the legacy system (some county agencies had complained about the IT staff not responding quickly enough to on-going problems involving the legacy system),  the county administrator informed the County Commissioners that, “We’re actually on the downhill side for IT.” County staff members were beginning their training on the upgraded system, the installation of which looked to be generally within budget and on schedule.

Last week, however, the Daily Telegram published a story indicating that all was not well with the tech upgrade. The Telegram quotes the county treasurer at a County Commissioner hearing as saying, “Things with the new system, they’re going slow and there are things we haven’t conquered yet.” The county clerk stated, “It’s not just a learning process. It’s the system itself. There’s things we thought it would do but it doesn’t do.” One example is the new financial and payroll system, which has created “more work and stress” for county employees instead of making them more productive and efficient, the Telegram reported.

The Lenawee county sheriff is none too happy either. With apparent anger, the sheriff told the Commissioners that, “There is no way we should be in the position we are in right now…  We’ve got a system that’s supposed to save us time, but they’re overwhelmed over there.” He also complained that the technology contractor was unresponsive to the technical problems being raised, and that the “level of training” the contractor provided was less than expected.

In addition, the sheriff, as well as other county agency officials, said that the county’s IT staff, which was resource thin, was over in over its head and unable to cope with all the problems cropping up.  The Lenawee IT department head basically agreed, saying that “…we probably faltered along the way,” and added that “The stress level everywhere is up through the roof right now.”

Unfortunately, exactly what happened between last July’s “downhill side for IT” and today’s IT tar pit is not explained in any other Telegram or newspaper stories that I can find.  It makes one wonder whether upgrade progress was being reported as “green” up until the day it was reported as really instead being “red.”  The latest Telegram story indicates that the Commissioners are now thinking of allowing the county IT department to hire another person “to help with a logjam of computer problems.” Whether that will help much, at least in the short-term, is debatable.

Read More

This Week in Cybercrime: Companies Attacked Every Three Minutes

Hackers Are Nothing If Not Persistent

Pick a company, any company. Well before you finish reading this blog post, that firm will likely have faced at least one malware-related event—and perhaps several. That’s the main takeaway from a new report on advanced persistent threats [pdf] released by researchers at the FireEye Malware Intelligence Lab. The group, which examined 89 million global malware events that FireEye documented during the second half of 2012, found that some companies have to fend off attacks as often as once every three minutes. "This nearly continuous rate of attacks and activities is indicative of a fundamental reality: these attacks are working, yielding dividends," says the report. The most targeted types of companies are tech firms, because of the value of their intellectual property. Rounding out the top five most attacked industries, says a Kaspersky Threatpost article, are: telecom, logistics/transportation, manufacturing, and banking/finance. Who gets attacked the least? According to the report, government agencies, energy companies, and legal firms get comparatively little attention from hackers. The FireEye report also details the most common infiltration methods as well as the techniques attackers are now employing to evade security measures.

Read More

First Portable Telephone Call Made 40 years Ago Today

Forty years ago today, Motorola announced that Martin Cooper, director of system operations at its Communication’s Systems Division, made the world’s first public call (pdf) in Manhattan on its Dyna T-A-C (Dynamic Adaptive Total Area Coverage) Portable Radio Telephone System. The Motorola press release also credits the late John Mitchell, the division’s general manager and later president of Motorola from 1980 to 1995. The press release quotes Mitchell as saying, “What this means is that in a city where the Dyna T-A- C system is installed, it will be possible to make telephone calls while riding in a taxi, walking down the city's streets, sitting in a restaurant or anywhere else a radio signal can reach.”

Cooper made his call—which was as much as a well-thought out publicity stunt as an exhibition of a revolutionary technological (and societal) capability—on his “less than three pound” phone to the landline (of course) phone of his rival and counterpart Joel Engel, at AT&T’s Bell Labs. Cooper said the purpose of the call between the two engineers was to show not only AT&T and the public what Motorola had created, but more importantly to put U.S. government regulators on notice that there could and should be competition to AT&T.

Cooper told the Wall Street Journal that the demonstration, “… had little to do with making a phone call. The whole purpose of building that phone was to shut down AT&T.”

While Cooper and Mitchell told UPI in 1973 that they expected to install the first DynaTAC portable phone network in New York by 1976, it took nearly another decade before the U.S. Federal Communications Commission (FCC) approved the DynaTAC phones for general public use.  Motorola says it invested US $100 million between 1973 and 1983 to create its original cell network; its first cell phones would have set you back about $4000 in 1983 or about $9 000 in today’s currency.

Read More

IT Hiccups of the Week: Expect Problems with New Medicaid System New Hampshire Warns

Last week was a relatively quiet week on the IT-related snag, snarl and uff da front. But it seems no one can roll out a new Medicaid system without IT problems, as many of New Hampshire's 10 000 Medicaid providers are likely to unhappily learn, beginning today.

New Hampshire Government Officials Say Expect Problems Today With Its New Medicaid System

At least no one can say they weren’t warned.

“No one is under the illusion that we won't have problems… It's not going to be perfect. We know that there are a number of issues we have with this. We want to make sure we have a full understanding of what those issues are.”

Those presentiments come courtesy of New Hampshire’s Health and Human Services Commissioner Nick Toumpas, quoted in the New Hampshire Union Leader last week when he told the state’s Executive Council and the Union Leader on what to expect when the state's long-delayed new US $90 million Medicaid Management Information System (MMIS) goes live today, 1 April.

The new MMIS system contract was originally let in December 2005 to Affiliated Computer Services (which was acquired by Xerox in 2010). The total contract cost, New Hampshire Watchdog.org states, was for $60 million: “$26 million for the design phase, and $34 million for the full five-year operational phase.” The design phase was supposed to be complete by the end of 2007, and operations were scheduled to begin on 1 January 2008.

The Union Leader reports that the MMIS design “has been modified at least five times, with the Executive Council repeatedly voting to extend the contract after Xerox missed eight deadlines over the six-year period.” According to the paper, the reason for the design changes and delays were caused by both state and federal additional system requirements, as well as contractor implementation problems.

New Hampshire has been paying EDS (now owned by HP), the until-today current MMIS system developer and operator—and losing bidder to ACS—some $8 million a year to keep the legacy system operational.

Toumpas told the Executive Council to expect angry phone calls from many of the state's 10 000 Medicaid providers saying that they were having problems with the new MMIS since there were known defects that haven’t been corrected yet. He also said there may be “calls from people about a defect we haven't anticipated yet,” as well. Toumpas said that Xerox had beefed up its response team in anticipation of the expected complaints.

I’ll let you know next week whether the anticipated errors were minor or major. If the recent experiences of other states like Florida, Idaho and Ohio are any indication, the latter is more likely than the former.

Read More

Drone Manufacturers Whine That They Are Misunderstood

The AP published a story today about how drone manufacturers are worried about the growing “privacy backlash” in the United States concerning the prospect of swarms of government and private UAVs taking to the air once the U.S. Federal  Aviation Administration works out how to let them fly safely in U.S.  airspace. The agency  intends to have the rules worked out by 2015.

The manufacturers, says the AP, are worried that the FAA will dawdle in its rule making and thus allow politicians, privacy advocates, and others who worry that drones will be abused the time to place what they consider to be unnecessary barriers to their use.They are worried that their $6 billion in expected sales to law enforcement and public safety agencies might be negatively impacted, especially with military contracts shrinking.

Apparently, in the manufacturers’ mind, those who “fear … the technology will be misused” just need to be re-educated to their life-saving benefits. The AP story quotes a UAV support services supply company CEO as saying, “Our lack of success in educating the public about unmanned aircraft is coming back to bite us,” while a drone manufacturer is quotes as saying, “Any legislation that restricts the use of this kind of capability to serve the public is putting the public at risk.” The story also quotes the executive director of the Airborne Law Enforcement Association as saying that UAVs “clearly have so much potential for saving lives, and it’s a darn shame we’re having to go through this right now. It’s frustrating.”

Yep, we need drones everywhere for the children’s sake.

If it wasn’t for those loud, pesky politicians like Rep. Ed Markey, D‐Mass., co‐chairman of the House Bipartisan Congressional Privacy Caucus, who introduced updated legislation last week to among other things (pdf), require the FAA to “not issue drone licenses unless the application includes a data collection statement that explains who will operate the drone, where the drone will be flown, what kind of data will be collected, how that data will be used, whether the information will be sold to third parties, and the period for which the information will be retained” as well as require “law enforcement agencies and their contractors and subcontractors [to] include an additional data minimization statement that explains how they will minimize the collection and retention of data unrelated to the investigation of a crime,” those drones could be out saving lives right now.

Well, maybe once New York City’s Mayor Bloomberg term-ends, the drone manufacturers can hire him as their spokesperson to educate Americans on how, as one drone manufacturer told the AP, “the benefits of these solutions (drones) …  far outweigh the concerns.” Bloomberg said last week that drones are coming no matter what and, as a consequence, that Americans are just going to have to learn to live with “more visibility and less privacy.” Just think of them as merely roaming security cameras in the sky, he suggested.

There, don’t you feel safer already?

Photo: Erik Simonsen/Getty Images


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More