Risk Factor iconRisk Factor

UK Government Mislays Half the Country's Personal Details

Reuters is reporting that the UK government Chancellor of the Exchequer Alistair Darling informed parliament that "two discs containing information on 25 million Britons had disappeared after being sent through HMRC's courier, Dutch mail and parcel company TNT NV, and a police investigation was underway."

"The missing information contains details of all child benefit recipients: records for 25 million individuals and 7.25 million families," according to Darling. It was a "serious failure" he said - no kidding?

Hmm, let's see. The UK government desires every citizens' and travelers' DNA, every person's travel related details, has created a national registry of all children under 18, is developing a national ID card, etc., etc., and yet it can't guarantee basic protection to any of the information it collects.

Nice, very nice.

Why Government Needs Sarbanes-Oxley - and its Penalties

This past week a $31 million property tax refund scam conducted by members of the Washington DC Office of Tax and Revenue was revealed by the FBI. The scam has been running for at least the past seven years, and allegedly involved two tax office employees (so far) and their families. The perpetrators were so unconcerned about getting caught, they sent a phony $346,700 check to a fictitious company named "Bilkemor LLC."

The employees were able to get away with the scam because their activities weren't supervised, nor extensively if at all audited. A "breakdown of internal controls" were blamed by DC officials - something that Sarbanes-Oxley reviews of computer system controls would have made much more difficult. The District's CFO hasn't resigned, and has indicated that he sees no reason to do so. Basically, he stated that it wasn't his fault, that he has already fired the wayward employees' managers, and that it wasn't a big deal anyway, since it didn't materially affect the District's finances: "It is important to emphasize that this unfortunate incident does not compromise the financial stability and viability of the District."

Public corporations would love to operate under that definition of materiality. If the CFO or CEO were in the same position of utter and absolute ignorance of their company's finances, they would be fired, sued by shareholders, and face possible criminal charges. I guess shareholder money is more important to protect than that of taxpayers.

This week, the Security and Exchange Commission (SEC) also admitted once again that it still couldn't meet Sarbanes-Oxley requirements either - more than a bit ironic for the agency whose job is to administer it to public companies and punish those who transgress its requirements. No one at the SEC is losing their job because of material weaknesses found there either, it appears.

NASA Hack Costs $1.5 million to Fix

Government Computer News reported that recent intrusions into NASA's Earth Observing Systemâ''s networks â''cost NASA $1.5 million for incident mitigation and cleanup costs alone,â'' according to NASA's inspector general, Robert Cobb, in a memo issued Nov. 13.

According to Cobb, these costs were above the operational costs NASA sustained by the loss of systems availability. Cobb noted further that, "We have again included IT Security as a most serious management and performance challenge because our work and that of the Agency continues to report that significant weaknesses persist and many IT security challenges remain. Significant management and operational and technical control weaknesses continue to impact the Agencyâ''s IT Security Program and threaten the confidentiality, integrity, and availability of NASA information and its systems. That threat is tangible in that the Agency continues to be a target for criminal computer intrusions."

Good IT News, Bad IT News at Department of Justice

The annual report by the Department of Justice's Office of the Inspector General (OIG) on the state of IT in the DOJ says that the FBI has made progress in implementing its Sentinel system. The report notes that, "Over the past several years, the FBI has instituted better IT management processes and controls through its Life Cycle Management Directive. Continuity in both the FBIâ''s CIO position and its project management staff â'' a huge problem in failed previous efforts â'' also has stabilized. In addition, all of the FBIâ''s IT activities have been centralized under the FBI CIO, who now controls all agency IT spending.â''

However, the IG goes on to note: "The Department also faces the challenge of assuring that the more than $2 billion it receives annually for the Departmentâ''s IT systems is being spent effectively. A June 2007 OIG report examined the Departmentâ''s inventory of IT systems and identified 38 major IT systems estimated by system mangers to cost over $15 billion through 2012. The OIGâ''s audit found that the cost information the Department provides on its IT systems to Congress, OMB, and senior management within the Department is unreliable. Specifically, IT system cost reporting within the Department is fragmented, uses inconsistent methodologies, and lacks control procedures necessary to ensure that cost data for IT systems is accurate and complete."

The OIG also said there was big trouble with the Integrated Wireless Network (IWN), a $5 billion joint project among the Department of Justice, the DHS, and the Department of Treasury that is intended to address federal law enforcement requirements to communicate across agencies, allow interoperability with state and local law enforcement agencies, and meet federal mandates to use federal radio frequency spectrum more efficiently. The OIG concluded that, "the IWN project was at a high risk of failure. Despite over 6 years of development and more than $195 million in funding, the OIG concluded that the IWN project does not appear to be on the path to providing the intended seamless interoperable communications system. The causes for the high risk of project failure include uncertain and disparate funding mechanisms for IWN, the fractured partnership between the Department and DHS on IWN, and the lack of an effective governing structure for the project."

It's a good thing, I guess, that you can't IWN them all.

Subtle Chip or Apllication Math Errors Can Lead to Big Problems

Over the weekend, the New Yorks Times ran an article on a potential IT security problem posed by errors in microprocessor chips such as the Intel Pentium error of a few years back or the recent Microsoft Excel spreadsheet bug.

Adi Shamir, a professor at the Weizmann Institute of Science in Israel and one of the three designers of the RSA public key algorithm, circulated a research note about how an attacker could exploit an undetected subtle math error and make breaking public key cryptography possible.

The Times article notes that Mr. Shamir believes that "if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be 'trivially broken with a single chosen message.' Executing the attack would require only knowledge of the math flaw and the ability to send a 'poisoned' encrypted message to a protected computer. It would then be possible to compute the value of the secret key used by the targeted system. With this approach, 'millions of PCâ''s can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually.' "

It isn't believed that this technique is being used - yet. It still seems easier to poison PC components themselves like hard drives at the factory, which recently happened to Seagate Maxtor drives made in Thailand and which were pre-loaded with password stealing Trojan horses.

Air Canada Computer Problems

Air Canada said there was a communications error between the airline's central reservation and check-in system affecting airports across Canada beginning at 0430 Friday morning. The system-wide problem affected both international and domestic flights with the worst delays experienced during the peak morning travel hours.

The delays weren't as bad as the recent problems at LAX.

Scarce Computer Science Students at Cambridge

A small news item appeared in the London Guardian this past week about how Cambridge University in England is desperate for computer science applicants. Cambridge is receiving only 40% as many applicants that it did in 2000. Professors there blame the drop on the perception that computer science students are "geeky" and that the best jobs are being outsourced to India and China.

FBI Virtual Case File Opportunity Cost?

A Lebanese-born CIA officer and former FBI agent Nada Nadim Prouty pleaded guilty this week to charges that, among other things (like submitting forged documents to obtain American citizenship) she illegally sought classified information from FBI computers in September 2002 and June 2003 concerning the Islamic group Hezbollah.

According to the New York Times, the agent's sister and brother-in-law "attended a fund-raising event in Lebanon in August 2002 at which the keynote speaker was Sheikh Muhammed Hussein Fadlallah, the spiritual leader of Hezbollah. Sheikh Fadlallah has been designated by the United States government as a terrorist leader." She checked the FBI computers to see what information law enforcement had on relatives, as well as herself.

It is interesting to speculate whether Prouty would have dared to check the FBI files in June 2003 if the Virtual Case File was visibly on track to be completed on-time (December 2003 or June 2004, take your pick), and or whether her 2002 or 2003 snooping would have also been discovered in 2004 before she went to the CIA, not 2007.

Just Some Neat Earth Rise/Set Pictures

If you haven't seen them yet, the Japan Aerospace Exploration Agency (JAXA) released some great HD pictures of earth rise and earth set as seen from the moon.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More