Risk Factor iconRisk Factor

This Week in Cybercrime: Stuxnet Two Years Older Than Previously Believed

Stuxnet’s Development Program Was a Long Thought-Out Process

On Tuesday, researchers from Symantec’s Security Response team released a report offering proof that the Stuxnet worm that targeted industrial facilities in Iran—most especially the Natanz uranium enrichment facility suspected to be part an Iranian effort to produce nuclear weapons— is two years older than previously thought. The 18-page report reveals that development of the malware dates back to 2005, although it first appeared in the wild in 2007. It wasn’t identified until July 2010. What explains the two-year lead time? An extended refinement process was probably part of what made Stuxnet and its precursor, Flame, so sophisticated. The exploits these bits of malware pulled off without attracting attention were "nothing short of amazing," Mikko H. Hypponen, chief research officer for F-Secure, a security firm in Helsinki, Finland, told IEEE Spectrum. Furthermore, says Hypponen, "You need a supercomputer and loads of scientists to do this." Symantec acknowledges that Stuxnet, which was designed to “take snapshots of the normal running state of the system, replay normal operating values during an attack so that the operators are unaware that the system is not operating normally... [and] prevent modification to the [compromised system] in case the operator tries to change any settings during the course of an attack cycle” is among the most complicated coding ever seen.

For more on how Stuxnet really worked and on the efforts to track it down, see "The Real Story of Stuxnet" in this month's issue of IEEE Spectrum.

Advanced Malware Escapes Sandbox with Help from Twitter

New malware designed to steal sensitive information exploits a patched sandbox-bypass vulnerability in Adobe Reader. The malicious code, dubbed MiniDuke by the researchers at Kaspersky Lab and CrySyS Lab, who discovered it and released a report about it this week, has attacked the systems of government agencies in 23 countries, mostly in Europe. Among its novel features are the use of steganography to hide the code it uses to create, then slip in and out of backdoors in the compromised systems; the ability to assess whether a computer is in use; and the ability to determine what detection capability the machine has. MiniDuke can also reach out to Twitter accounts created by the attackers to access tweets seeded with information pointing to command and control servers offering continually updated commands and encrypted backdoors. MiniDuke successfully bypassed the sandbox protection in Adobe Reader despite a patch meant to cover the vulnerability added on 20 February.

Read More

West Virginia Taken to the Cleaners by Cisco

There was a great story over at Ars Technica this week regarding a recently published special audit report (pdf) by West Virginia’s Legislative Auditor regarding the state’s purchase three years ago of 1164 Cisco model 3945 routers at a price of US $24 million using federal stimulus funds (a tip of the hat to a Risk Factor reader for bringing this to our attention in a comment to a recent post).  The auditor concluded that not only did the purchase bypass the state’s competitive purchasing rules for IT equipment; the state bought far more capability than it would ever need now or in the foreseeable future, and at non-competitive prices to boot. 

The audit report, for example, gives as an example the “city of Clay in Clay County [which] received 7 total routers to serve a population of 491. Five of these routers are located within .44 miles of the each other.” The cost of those seven servers—each of which can support 200 simultaneous users—was around $20 000 apiece.

The auditor noted that over $6.6 million was spent on Cisco model 3945 router features that weren’t necessary to begin with. Furthermore, if the state had actually purchased the correctly sized routers, it could have saved at least another $8 million or so. I say at least, because that number is based on router prices quoted in a non-competitive bidding environment—holding a competition that included other router manufacturers (Alcatel-Lucent, Brocade, HP, Juniper, et al.) would have likely saved even more money. For each $5 million saved on routers, the state could have purchased 104 additional miles of needed broadband fiber, the auditor noted.

I name those manufacturers specifically because the West Virginia audit report points to “California State University, the largest four-year university in America, [which] used a competitive bidding purchase to purchase an eight-year refreshing of its 23-campus 10G network. The Director of Cyber Infrastructure of California State University provided documentation showing that Alcatel-Lucent won the project with a bid of $22 million. Cisco’s bid was $122.8 million. The other bids were Brocade at $24 million, Juniper at $31.6 million, and HP at $41 million. Furthermore in May of 2011, Purdue University bid out replacement components for its Hansen Computer Cluster. Cisco won the Purdue University competitive bid process by offering a 76 percent discount off the cost of its products.”

Why did this wasteful fiasco happen? The audit report basically says no one really knows for certain—or at least is willing to 'fess up to being the party who screwed up: stuff just sort of happened.  The best that can be determined was that those receiving the federal stimulus funds wanted to spend as much of them as fast as possible, need be damned. Or in the auditor’s words, “Those making the decisions on how to spend the money did not consult individuals with technical knowledge on the best methods to utilize the funds.”

Read More

IT Hiccups of the Week: At least 17.4 Million U.S. Medication Errors Avoided by Hospital Computerized Provider Order Entry Systems

This past week has seen a hodgepodge of IT-related uff das, glitches and snarls. However, we are going to start this week off with millions of human errors avoided by IT.

Computerized Provider Order Entry Systems Avoid an Estimated 17.4 Million Medication Errors Per Year

Last week, the Journal of the American Medical Informatics Association (JAMIA) published a study that estimated the reduction in medication errors in U.S. hospitals that could reasonably be attributed to their computerized provider order entry (CPOE) systems.  The study’s authors said that they “conducted a systematic literature review and applied random-effects meta-analytic techniques” to develop a “pooled estimate” of the effects of CPOEs on medication errors.

They then took this estimate and combined it “with data from the 2006 American Society of Health-System Pharmacists Annual Survey, the 2007 American Hospital Association Annual Survey, and the latter's 2008 Electronic Health Record Adoption Database supplement to estimate the percentage and absolute reduction in medication errors attributable to CPOE.”

Working through the data, the authors concluded that a CPOE system decreases the likelihood of error by about 48 percent . "Given this effect size," say the authors, "and the degree of CPOE adoption and use in hospitals in 2008, we estimate a 12.5% reduction in medication errors, or ∼17.4 million medication errors averted in the USA in 1 year.”

The study authors are careful to note that it is unclear whether this reduction in medication error actually “translates into reduced harm for patients,” although the research tends to lead one towards that conclusion.

The number of medication errors avoided because of CPOEs is expected to rise as more hospitals install them. Only about 20 percent of U.S. hospitals had deployed CPOE systems as of the middle of 2012.

Read More

Déjà Vu All Over Again: California’s DMV IT Project Cancelled

The Golden State's Department of Motor Vehicles (DMV) must think it has checked into an IT version of Hotel California, where once a DMV modernization project is started, it can never ever finish it.

Last week, on behalf of DMV's management, California’s CIO informed state legislators that it had decided to cancel at the end of January the remainder of its US $208 million, 6-year IT modernization project with Hewlett-Packard, which was supposed to be completed in May of this year. As reported in the LA Times, after spending some $134 million ($50 million on HP) and having “significant concerns with the lack of progress,” the DMV decided to call it quits and do a rethink of the program’s direction. HP had apparently saw the handwriting on the wall. Its contract ended last November, and HP refused to hire key staff until the contract was renegotiated.

The DMV IT modernization program was started in 2006 in the wake of a previous DMV project failure (called Info/California) that blew through $44 million between its start in 1987 and cancellation in 1994. That “hopeless failure,” as it was then described, was supposed to be a 5-year, $28 million effort; when it was terminated seven years in, the project’s cost to complete had skyrocketed to an estimated $201 million with an uncertain finish date. A 1994 LA Times story reported that an assessment found the DMV had limited experience in computer technology, grossly underestimated the project’s scope and size, and lacked consistent and sustained management. The project's failure also sparked a full legislative probe.

The current DMV debacle, along with this month’s termination of the MyCalPay’s project, has spurred calls for yet another probe. Legislators could save a lot of time and money by just cutting and pasting from the the earlier project's investigation. I'm sure they'll find a lot of the same inexperience, underestimating, and inconsistent management.

Not all was lost in the current effort: at least a new system for issuing California drivers’ licenses was rolled out. However, the critical vehicle registration portion of the DMV system, with its decades-old “dangerously antiquated technology” (pdf), will have to stay in use while a new go-forward plan is developed.

Read More

IT Hiccups of the Week: U.K. O2 Mobile Customers Told To Be Careful What They Say

This week’s IT snafus and snarls have a definite international flavor to them. The first story takes us to the U.K., and a story of some “crossed lines.”

O2 Customers Complain About Eavesdropping on Calls

Last Tuesday, the Register ran a story about some Birmingham, England-area customers of U.K. mobile provider O2 being able to listen in on calls apparently originating in Scotland. According to the Register, customers started to complain about the “crossed lines” the previous week, but the weekend was nearly over before O2 was even able to confirm that this eavesdropping was indeed happening. Still, said O2 to the Register on Monday, it was “unable to replicate the problem despite having received ‘a handful’ of complaints.’”

Then a story in the London Telegraph said that the problem had spread beyond Birmingham to Scotland, Wales, and Liverpool, and potentially involved anyone using the O2 network in the affected areas.

On Thursday, a Daily Mail story reported that O2 had traced the problem to a network cable and card. The Mail quoted an O2 spokesperson as saying that, “We had a problem with a network card responsible for transferring call traffic in the Birmingham area which resulted in a handful of customers experiencing crossed lines during phone conversations...Our engineers identified that a cable linked to the card was not working correctly and fixed the problem at 6.15pm on Tuesday. We have been monitoring the situation closely with no further reported issues. We apologise for any inconvenience caused to our customers.”

During the eavesdropping interlude, U.K. financial expert Martin Lewis warned O2 and other wireless customers to be careful what they said, especially concerning their financial and personal affairs.  But according to the Register, this same problem has been intermittently reported by O2 customers since 2010, and Martin's opinion is probably good advice given that the U.K. security services want to snoop on all phone calls being made.

Read More

U.S. Agency Issues Call for National Cybersecurity Standards

In the post-Stuxnet world, the prospect of undeclared cyberwar has been dragged out of the shadows to the front pages. With that in mind, yesterday the U.S. National Institute of Standards and Technology (NIST) kicked off an effort to establish a set of best practices for protecting the networks and computers that run the country’s critical infrastructure. The Cybersecurity Framework was initiated at the behest of President Barack Obama, who issued an executive order calling for a common core of standards and procedures aimed at keeping power plants and financial, transportation, and communication systems from falling prey to any of a wide range of cybersecurity threats.

The first step, says NIST, will be a formal Request for Information from infrastructure owners and operators, plus federal agencies, local government authorities, and other standards-setting organizations. NIST says it wants to know what has been effective in terms of keeping the wolves at bay. To that end, it will hold a series of workshops over the next few months where it will gather more input. The agency says that when the framework is completed in about a year, it should give organizations “a menu of management, operational, and technical security controls, including policies and processes” that will make them reasonably sure that their efforts represent an effective use of their time and resources. 

Oddly, though, the press release announcing the development of the Cybersecurity Framework makes no mention that the final public version of a report titled, "Security and Privacy Controls for Federal Information Systems and Organizations" was released on 5 February and that the public comment period continues through 1 March.

Image: Linda Bucklin/iStockphoto

California’s Payroll Project Debacle: Another $50 Million Up in Smoke

Ah, I love the smell of napalmed IT projects in the morning!

Not, though, when they are government IT projects and the wafting odor is from taxpayer monies going up in smoke.  And unfortunately, for past few weeks, the stench of burning government IT projects has been especially pungent.

We start off in California, where after burning through some $50 million, California State Controller John Chiang announced last Friday he had decided to terminate the state’s US $89.7 million contract “with SAP as the system integrator for the MyCalPAYS system, the largest payroll modernization effort in the nation.” The planned 5-phase effort mercifully never made it past the first pilot phase.

Furthermore, Chiang said that the Secretary of the California Technology Agency (CTA)  has “suspended further work until the CTA and SCO [State Controller’s Office] together conduct an independent assessment of SAP’s system to determine whether any of SAP’s work can be used in the SCO’s go-forward plan to address the State’s business needs.”

You may remember that Chiang sent SAP a letter last October warning that the project was “foundering and is in danger of collapsing,” and gave SAP one last chance in the form of a demand for urgent get-well efforts from the company. Chiang claimed that there were errors in one out of every three tasks performed by SAP's system, and that there hadn’t been a single pay cycle without material payroll errors occurring.

In Friday’s announcement, Chiang threw in the towel. He said that while he had hoped “for a successful cure to SAP’s failure to deliver an accurate, stable, reliable payroll system, SAP has not demonstrated an ability to do so.” This was especially disheartening, Chiang implied, given that the SAP effort covered only 1300 SCO employees who had “fairly simple payroll requirements.”  There was no way the SAP system could be trusted to support the payroll requirements of the state's "240 000 employees, operating out of 160 different departments, under 21 different bargaining units."

SAP said in response to the news of its contract termination that it was “extremely disappointed in the actions. SAP stands behind our software and actions.... SAP also believes we have satisfied all contractual obligations in this project.”

All of this, of course, suggests that when the napalm smoke clears, a date in court will be in the offing. Chiang as much as said so in the announcement: “The SCO will pursue every contractual and legal option available to hold SAP accountable for its failed performance and to protect the interests of the State and its taxpayers. This includes contractually required mediation and, if necessary, litigation.”

An SCO spokesperson called the project’s performance “frightening,” but what must be really frightening to California taxpayers is the continued inability of the state to manage the acquisition of its IT projects. So far, nearly $254 million has been spent so far in two unsuccessful attempts to get a state government payroll system in place, the LA Times reports. If SAP fights instead of settles, it would at least be a public service, exposing the depth of California’s IT project risk mismanagement.

The upshot is that California will continue to use its decades-old Cobol-based payroll system until it figures out what to do next. And to help it figure that out, the SCO has—in the best tradition of government—set up an IT Procurement Task Force. Whenever in doubt, form a committee.

I hope the Task Force members have strong stomachs; the stench of IT project failure coming out of California is of the mephitis variety.

Read More

IT Hiccups of the Week: University of Wisconsin Loses Another $1.1 Million Amid Payroll Glitches

This week’s IT hiccups and snafus are a varied lot. We’ll start off with the University of Wisconsin’s ongoing payroll and benefits system saga.

$1.1 Million Lost Because of Glitches in UW Payroll System Glitches – More May Follow

The Wisconsin State Journal reported last week that “glitches” with the University of Wisconsin’s controversial payroll and benefits system had resulted in US $1.1 million in improper payments which the university may likely end up having to absorb. In addition, the Journal reported, University President Kevin Reilly warned that further examination of the payroll system “by system staff, an independent analyst and the state auditor are ‘likely to find more issues.’”

This news has not gone over well with Wisconsin state legislators, who were already upset when an audit by the Legislative Audit Bureau released late last month indicated that problems with the UW payroll system had resulted in $33 million in improper payments being made over the past two years. Another Journal article reported that while some $20 million of those $33 million in overpayments have been recovered, much of the remaining $13 million may well have to be written off.

When the $33 million in overpayments was first reported, UW's Reilly put out a statement that said in part, “I am deeply troubled by these mistakes…. We will identify exactly why and how these significant errors occurred, we will validate that steps we have already taken are working, we will take any additional steps that need to be taken, and we will make absolutely sure that similar errors do not happen again.”

Read More

This Week in Cybercrime: Former State Government Employee Used Driver’s License Database Access to Snoop on Thousands

Minnesota Government Employee Wrongfully Accessed Driver’s License Data

It’s hard enough to keep your personal information out of the hands of cybercriminals bent on using it to steal from you or fraudulently acquire things in your name. But it seems like there’s no hope when organizations you trust with your personal details—like the Minnesota Department of Public Safety—mishandle them. That was likely the case for roughly 5000 state residents who found out this week that a former state employee has been charged with illegally accessing the records associated with their driver’s licenses. The data thief, who was once the state's Department of Natural Resources Enforcement Division's administrative manager, was authorized to look at a resident's records when they related to his office’s official business. But between 2008 and last October, he used his credentials to query the state Driver and Vehicle Services database more than 19 000 times. He looked up the names of politicians, judges, county and city attorneys, police officers, news reporters, family members and other state employees. Most of his downloads were of women whose pictures appeared in the database.

According to a Kaspersky Lab Threatpost article, four people who have been notified that their records were wrongfully accessed are suing the alleged perpetrator and other state employees. “They said the data breaches caused severe emotional stress and physical harm and were the result of ‘lax policies and lax enforcement’ that allowed an unsupervised, unmonitored Hunt to continually access records for years,” says the Threatpost article.

Government Agencies, Military Among Users of Vulnerable Industrial Control System

What do the FBI, the Drug Enforcement Agency, the U.S. Marshals Service, the IRS, the U.S. Passport Office, the British Army, and Boeing, have in common? They are just a few of the thousands of organizations whose facilities depend on an industrial control system with a security hole that could allow attackers to remotely control critical building functions such as electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms. The vulnerability in the Tridium Niagara AX Framework was reported on 5 February at the Kaspersky Security Analyst Summit.

Billy Rios and Terry McCorkle, security researchers with Cylance, demonstrated a zero-day attack that yields access to the system’s config.bog file, which holds login credentials and other data for operator work stations, and controls the systems that are managed by them. The exploit, say Rios and McCorkle, takes advantage of a vulnerability that gave them root on the system’s platform. “The platform is written in Java, which is really, really good from an exploitation standpoint,” Rios told Wired. “Once we can own the platform, a lot of the other stuff is very, very straightforward [to attack],” said Rios.

Rios and McCorkle reported that a search turned up roughly 21 000 Tridium systems that were accessible over the Internet.

In a written statement, Tridium revealed that the researchers notified it about the vulnerability in December; it has been working on a patch, which it says it expects to release by 13 February. In an attempt to downplay the vulnerability, the statement noted that, “The vast majority of Niagara AX systems are behind firewalls and VPNs—as we recommend—but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk.” That’s a change of tune from Tridium’s stance just last year, when it told the Washington Post that its systems benefited from security through obscurity.

Tried-and-True Thieving Techniques Taken Up Again

Cyberthieves have developed sophisticated malware that can infiltrate a victim’s computer, allowing a thief to tap into online banking sessions initiated by customers in real time. Such malicious code is capable of conducting fraudulent transactions right under the victim’s nose and covering its tracks by updating the account balance and transaction history display in the victim’s browser. But because banks have developed countermeasures including software that detects anomalies in customers’ online access, some crooks are eschewing session hijacking and going back to the old and familiar: stealing login credentials for subsequent access from a separate computer. This shift was confirmed by researchers at security firm Trusteer, who reported this week that they noticed changes in the Tinba and Tilon financial Trojan programs. According to a 7 February blog post by Amit Klein, Trusteer's chief technology officer, the Trojans divert a customer attempting to access his or her bank’s website to a fake version. The rest is history, says Klein:

“Once the customer enters their login credentials into the fake page the malware presents an error message claiming that the online banking service is currently unavailable. In the meantime, the malware sends the stolen login credentials to the fraudster who then uses a completely different machine to log into the bank as the customer and executes fraudulent transactions.”

Now banks have to be on the lookout for both the new and (relatively) old-school techniques.

Adobe Releases Emergency Security Update

On 7 February, Adobe released a patch for its Flash Player meant to stop hackers from using two zero-day vulnerabilities to take over Windows PCs and Macs. Adobe was already planning to release a Flash Player update on 12 February, but because the software maker was “aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash content," it released the fixes as soon as they were ready. The other vulnerability was being used for so-called drive-by attacks that victimize computer users who navigate to a malicious website hosting an exploit.

UK Government Reasserts Its Right to Snoop on All Electronic Communications

Last April Fool’s Day, the BBC reported that the UK government was planning to introduce legislation that would allow the monitoring of all the “calls, emails, texts and website visits of everyone in the UK” by the Government Communications Headquarters (GCHQ) intelligence agency. The information would be monitored in real-time and then stored for two years before being erased. The government needed the monitoring capability, it said, to be able toinvestigate serious crime and terrorism and to protect the public.”

The government also promised that the legislation would “ensure that the use of communications data is compatible with the government's approach to civil liberties.”

It's good to see the tradition of doublethink is alive and well in the UK.

Almost immediately, members of even the government’s own party said that this legislation was a massive overreach and threatened civil liberties. Telecommunication and Internet providers weren’t too happy either, saying that the program was going to be expensive and a nightmare to implement.

A pre-legislative parliamentary scrutiny committee was set up to look into the feasibility of the proposed legislation, now being dubbed the “snoopers charter.” By late autumn, word was that the committee did not like what it saw and was preparing to say so in a report in early December. The UK Home Secretary, Theresa May, was aggressively pushing the legislation and on 3 December, upon hearing of the committee’s unflattering appraisal of it, launched a preemptive strike on the committee’s findings. She told the Sun newspaper that the legislation had to be passed, otherwise “we could see people dying” and “criminals going free” including “pedophiles who will not be identified.” She also warned of a reduction in “our ability to deal with this serious organized crime.”

May concluded, “Anybody who is against this bill is putting politics before people’s lives.”

However, the committee was unimpressed by May’s "you are either with us or against us" attack.  On 10 December, the Guardian published a story detailing the committee's determination that the legislation was unworkable as written, that it “tramples on the privacy of British citizens,” and further that the estimated cost of the effort of some £1.8 billion over 10 years was “fanciful and misleading.” Nick Clegg, the leader of the government’s Liberal Democrat coalition party, told May, “We cannot proceed with this bill and we have to go back to the drawing board."

So politics and common sense won out, at least for a little while.  There were warning signs that this wouldn't last, however. While May stated that she was “open-minded” about changing the legislation, the Guardian reported that she “remained determined to introduce it before the session ends next spring and get it on the statute book before the next election.”

This week May's snooping desires got a boost as the London Telegraph reported that the cross-party parliamentary Intelligence and Security Committee (ISC) has come out in support of the "snoopers charter," though it also warned that the “the government must do more to convince public of the need for them.”  Hmm, sounds like it time to beat the “it’s all for the sake of the children” drum a bit louder, or maybe, to say, a la Orwell, that the charter is needed as an “act of self-defense against a homicidal maniac.”

According to the Telegraph, the Director General of MI5, Jonathan Evans, said that without the legislation, “it was increasingly difficult to be confident that targets were being fully watched” because of rapid changes in communication technology. And in a related story at the Guardian, the Home Office claims that the charter is urgently needed as “there is already a 25 percent ‘capability gap’ between the tracking data that the security services need to access and their ability to do so.”

Evans did admit to the ISC, though, that the Home Office’s 25 percent figure depended upon some “pretty heroic assumptions,” the Guardian reported. In other words, it was most likely a number that made for a good news sound bite, but that the capability gap has little credibility indeed.

A story at the Daily Mail reports that the UK's intelligence service says it isn't interested in unfettered access to the content of every communication, and that its fetters would still be court orders, which it would continue to obtain. It just wants information on “who sends a message, where and how it is sent, and who receives it.”

Of course, with people's identities closely bound with their cellphones, and with all the GPS and other information that cellphones throw off these days, this metadata is often more important than the information content itself, much of which, by the way, can probably be inferred pretty quickly with advanced data analytics. And if the messages are passing though the communication channels being monitored by the U.S. National Security Agency, the contents can probably be provided to GCHQ without a UK court order request even being filed.

The Daily Mail article also points out that GCHQ isn’t worried whether the messages are encrypted, either. Apparently, it has “options” to deal with it.

How this all plays out, time will only tell. But the idea of a democratic government that maintains its belief in its citizens' right to privacy also claiming in the same breath it also has a right to snoop on all forms of electronic communication reminds me of another Orwell quote: “We have now sunk to a depth at which restatement of the obvious is the first duty of intelligent men.”

Image: iStockphoto


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More