Risk Factor iconRisk Factor

Cyber Risk Review

Today's San Jose Mercury News has published Part 1 (registration may be required) of a three-part series on organized cybercrime, often based in Russia, and the widespread use of botnets to steal your identity and money. It also has an engaging slide show on internet crime, along with an interview with Dave DeWalt, the new CEO of McAfee.

The series coincides with the news reported today at the Dark Reading website that a "New York grand jury has indicted 17 people and a corporation on charges of identity theft, worldwide trafficking in stolen credit card numbers, and other crimes committed using the Internet." Those indicted, several with apparent ties to Russia, are said to have trafficked in more than 95,000 stolen credit card numbers and caused more than $4 million in credit card fraud

For those who are interested in this subject, as part of the article I wrote in this month's IEEE Spectrum on Open-Source Warfare, I interviewed Tom Kellermann on how terrorists are using the Internet for money laundering, fundraising, and identify theft. Kellermann was a member of the Treasury Security Team at the World Bank, where he advised central banks on monitoring illicit online activity. Heâ''s currently vice president of security awareness at Core Security Technologies, in Boston.

Tom pointed out, as did Mercury News story, that there is this large and growing underground economy where you essentially can hire software mercenaries to build code to attack a targeted system and to data mine that system for your own use. In this community, a perverse "Robin Hood" mentality prevails: steal and take what you can or barter what you find so that you can support your efforts in the real world.

Reading the Mercury News article and Tom's interview can be disconcerting to say the least. If you wish to stay worried or become slightly paranoid, do a daily read of the Dark Reading website. After about a week, it makes you wonder why anyone, including yourself, ever signs onto the net.

Computer Problems at London Stock Exchange

The London Stock Exchange suffered disruptions for the last 40 minutes of the trading day due to a computer problem which resulted in incorrect share prices being displayed. The trading day was extended for another 90 minutes to make up for the problems traders were having.

The last major disruption at the LSE occurred in the first week of April 2000. That week also saw computer problems hit the Nasdaq and Toronto Stock Exchange as well. That week reaffirmed the old maxim that bad news comes in three.

Is it time for a repeat?

Building Construction Mirrors Software Development

MIT filed a negligence lawsuit against architect Frank Gehry and construction company Skanska USA Building Inc, claiming â''design and construction failuresâ'' exist in its $300 million Stata Center that was opened in 2004, according to stories in the Boston Globe and New York Times. The Center opened to widespread praise by MIT.

Gehry has described as looking like "a party of drunken robots got together to celebrate," claims the issues are "fairly minor" and should be expected "in the design of complex buildings."

"These things are complicated and they involved a lot of people, and you never quite know where they went wrong. A building goes together with seven billion pieces of connective tissue. The chances of it getting done ever without something colliding or some misstep are small."

The executive vice president and area general manager of Skanska USA however, said that, "This is not a construction issue. Never has been." He claims that Gehry had rejected Skanskaâ''s formal request to change the design of the outdoor amphitheater, a source of the many of the problems; "We were told to proceed with the original design."

Gehry in turn, blamed cost-cutting by MIT: "There are things that were left out of the design.The client chose not to put certain devices on the roofs, to save money."

Doesn't this just sound like the aftermath of an IT project gone bad?

LA Unified School District Payroll System 82.4% Fixed

Today was payday once again for employees of the LA Unified School District (LAUSD). As you may have been following here, LAUSD implemented a new payroll system that has not exactly worked as planned.

In a story in today's LA Times, the problems supposedly now have been solved or at least most of them. According to LAUSD's spokesperson Binti Harvey, "employees' paychecks may be different, (but they are) more likely to be correct." She didn't specify a probability figure related to that likelihood, however.

Furthermore, Harvey says data shows that, "82.4% of all system defects have been fixed, and another 10.4% will be fixed" by the December payday. I guess using the decimal point means that 824 or 8240 defects have been fixed, and that either another 104 or 1040 still remain.

That of course assumes that current fixes don't create new defects. Also, the way Harvey said it, there seems to be an implication that all system defects are created equal. Either assumption is highly dubious.

Of course, given that many LAUSD employees have received over-payments as well as under-payments for months now, I don't envy them at all when they try figuring out whether today's paycheck is actually correct. I would hate to be in their shoes at the end of this year when they have to determine whether their total pay for 2007 is right or not. They might end up paying a whole lot more in taxes they did not expect.

As the Times story notes:

"With 2007 coming to a close, income tax forms present an additional worry, said A.J. Duffy, president of United Teachers Los Angeles. 'Our members are very concerned about their taxes,' Duffy wrote in a statement. 'LAUSD has told us that they may not be able to meet with all UTLA members before the end of the calendar year. Our members are concerned that their payroll issues will be resolved way too late.' "

What fun. I'll be back in December with another update.

What Business Risk?

ComputerWorld reports that a survey commissioned by the Information Systems Audit and Control Association (ISACA) found that 15% of respondents admitted logging onto peer-to-peer file sharing networks from work computers despite security warnings to the contrary. A further 74% of the survey respondents said they don't believe that downloading unauthorized content or software to work PCs creates a business risk.

I wonder what these 74% do consider a business risk.

No One Did Anything Wrong

As reported in the Palm Beach Post, the Palm Beach County courts are trying to determine whether they should scrap their computer system that had a $13.6 million upgrade last year. The upgrade got them off their old mainframe onto a newer platform, and it was slated to give the court some functional upgrades as well.

Unfortunately, things haven't turned out too well. For example, when the court's computer system electronically alerts the Florida Department of Motor Vehicles of license suspensions, court staff have to telephone the DMV to ensure the information was not only received but received correctly. Another example was that before sending out 40,000 letters ordering people who owed the court money for unpaid fines, court staff had to manually check to ensure that they were mailing letters to the people who actually owed the court money and that the amounts stated in the letters were correct.

As a result of the problems, the courts have had to hire an additional 29 staff at a cost of $1.4 million per annum to try to keep the court system operating to some level of normality.

The upgrade, which was originally estimated to take six months to a year to convert all the data stored in the mainframe into the new system actually took 3 1/2 years. When the initial schedule estimate was made, court officials figured they would encounter three or four different methods of inputting data into the system. However, over a 150 different were actually being used.

No one seemed to checked this "minor" assumption before the contract was let. It gets better.

During the upgrade, one vendor went bankrupt, another gave up and left and a third was fired and ultimately reimbursed the county $5.6 million. The fourth "completed" the upgrade, if you can call a computer system with "tens of thousands of errors" in it complete.

To make the situation even more interesting, who controlled and paid for the system upgrade was a subject of a political wrestling match for its entire development.

In reflecting on the fiasco, Clerk of Courts and Comptroller Sharon Bock is quoted as saying, presumably with a straight face that, "It's not something that anyone did wrong."


Sounds to me like its time for the IT Mercy Rule to take effect.

How do you spend £12.4bn over 10 years? Start by spending £2.4bn in 10 minutes

The BBC reported last week that the decision to move forward in 2002 with the UK National Health Service's electronic health record's National Programme for IT (NPfIT) took place after a ten-minute presentation to then Prime Minister Tony Blair. The cost estimate for NPfIT - done basically on the back of an envelop - was for £2.4bn over three years, to which Blair basically said, "Go for it."

Surprise, surprise, NPfIT is currently projected to cost £12.4bn over ten years, and even that estimate is likely severely optimistic. Tony Collins over at ComputerWeekly who has been following the NPfIT situation for years has all the gory details. Collins has been trying to get the minutes of the meeting released, which the government refuses to do, despite being directed to do so by the Information Commissioner.

The NHS has recently stated that regardless of the many problems the NPfIT has faced, it is highly successful, and that it is "so well advanced that the health service 'could no longer function' without it."

This is kind of like Homer Simpson saying,â''I think Smithers picked me because of my motivational skills. Everyone says they have to work a lot harder when Iâ''m around.â''

E-Mail Madness Redux

A friend of mine in the UK pointed out a similar instance to the DHS E-Mail Madness that hit in early October. The British Computer Society (BCS), last week sent over 700 members an email without using the blind carbon copy field, like what happened in the DHS incident. Ironically, the email was a request for people to fill in an online survey on BCS customer service satisfaction

As per the DHS email situation, recipients responded with "unsubscribe me" messages using the reply all, which of course got more people annoyed, etc. At least there were no reports that people used the email to solicit jobs or votes for Parliament. Must be that famous British reserve.

What Does Microsoft Do With All That Error Data?

On a "good" day, some 50 gigabytes of error data flows into Microsoft, according to a story in today's Wall Street Journal (subscription required). Two dozen programmers pore over the data, looking for OS kernel and or application problems resulting from design flaws, programming, errors, resource conflicts, and other sorts of programmer and designer ingenuity.

Microsoft won't say where the majority of errors lie or who is at fault, nor give any details about how Vista, XP, Windows 98, Windows 95 all compare, which is too bad. Nor does Microsoft say how errors are prioritized for repair, and whether those two dozen programmers get any say. It also doesn't say how many 50 gigabyte days occur, either.

As I read the story, I got to wondering about those two dozen programmers who look over all the error data coming in. Do they get excited when a big day of error data hits? Do they take bets when the first 60 gigabyte day occurs, or the least busy day of the year is? Do they have a list of known but obscure errors, and then try to guess (err.. predict) when the first time it will show up? Is there a bell that gets rung when it does?

Also, is that position a stop on the way towards bigger and better things, or is it a career path all its own? Is there a title of Chief Error Guru? Do you move from a development team to this error discovery team, or vice versa? After being there awhile, you must get a pretty good education as to what not to do in developing applications or OS kernels. Are those lessons learned promulgated throughout the company and to others in the software community?

Anyone out there who knows, let me know. I'm curious about the dirty two-dozen.

New England Patriots Win Big - On Two Fronts

Having grown up in New England but now living in Virginia, it has been a mixed week for me in the world of sports. Boston College beat Virginia Tech last Thursday night in Blacksburg, Virginia, coming from 10 points behind in the last four minutes to win and keep their number 2 ranking in college football. Then yesterday afternoon, the New England Patriots crushed the Washington Redskins for their eighth win in a row to keep their perfect season hopes alive. (Oh yes, the Bosox won the World Series again last night - but at least they weren't playing the Washington Nationals.)

Anyway, it must be great to be a sports fan right now in New England, except maybe for some Patriot season ticket holders. You see, last year the Patriots sued StubHub! (which is owned by eBay and enables fans to buy and sell tickets to sporting, concert, theater and other live entertainment events, even those that are otherwise sold out) for its list of people who were using the site to resell their Patriot tickets. The Patriots allow season ticket holders to resell their tickets at face value on the team's website, but prohibit all other resales.

StubHub! fought hard against the lawsuit, claiming it violated customer privacy, was anti-competitive, etc., etc., but the company was recently ordered by a Massachusetts Superior Court judge to turn over to the Patriots the contact information of every person who used StubHub.com to sell, attempt to sell, buy, or attempt to buy a ticket to a Patriots home game from November 2002 to January 2007. It is estimated that 13,000 names have since been turned over.

The Patriots, have remained mum on what exactly they are going to do with the information now that they have it. However, the Massachusetts court judge said that the Patriots intended to use the identities of the purchasers and sellers not only for this case, but also for its own other allegedly legitimate uses, such as canceling season tickets of 'violators' or reporting to authorities those customers that they deem to be in violation of the Massachusetts anti-scalping law.

At this time, the Patriots will most likely make it deep into the NFL play-offs, and, if they continue to play as they have so far this season, they have a decent chance to repeat as Super Bowl champions.

I wonder if the Patriots are going to drop kick some of their season ticket holders before or after the playoffs.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More