Risk Factor iconRisk Factor

IT Hiccups of the Week: At least 17.4 Million U.S. Medication Errors Avoided by Hospital Computerized Provider Order Entry Systems

This past week has seen a hodgepodge of IT-related uff das, glitches and snarls. However, we are going to start this week off with millions of human errors avoided by IT.

Computerized Provider Order Entry Systems Avoid an Estimated 17.4 Million Medication Errors Per Year

Last week, the Journal of the American Medical Informatics Association (JAMIA) published a study that estimated the reduction in medication errors in U.S. hospitals that could reasonably be attributed to their computerized provider order entry (CPOE) systems.  The study’s authors said that they “conducted a systematic literature review and applied random-effects meta-analytic techniques” to develop a “pooled estimate” of the effects of CPOEs on medication errors.

They then took this estimate and combined it “with data from the 2006 American Society of Health-System Pharmacists Annual Survey, the 2007 American Hospital Association Annual Survey, and the latter's 2008 Electronic Health Record Adoption Database supplement to estimate the percentage and absolute reduction in medication errors attributable to CPOE.”

Working through the data, the authors concluded that a CPOE system decreases the likelihood of error by about 48 percent . "Given this effect size," say the authors, "and the degree of CPOE adoption and use in hospitals in 2008, we estimate a 12.5% reduction in medication errors, or ∼17.4 million medication errors averted in the USA in 1 year.”

The study authors are careful to note that it is unclear whether this reduction in medication error actually “translates into reduced harm for patients,” although the research tends to lead one towards that conclusion.

The number of medication errors avoided because of CPOEs is expected to rise as more hospitals install them. Only about 20 percent of U.S. hospitals had deployed CPOE systems as of the middle of 2012.

Read More

Déjà Vu All Over Again: California’s DMV IT Project Cancelled

The Golden State's Department of Motor Vehicles (DMV) must think it has checked into an IT version of Hotel California, where once a DMV modernization project is started, it can never ever finish it.

Last week, on behalf of DMV's management, California’s CIO informed state legislators that it had decided to cancel at the end of January the remainder of its US $208 million, 6-year IT modernization project with Hewlett-Packard, which was supposed to be completed in May of this year. As reported in the LA Times, after spending some $134 million ($50 million on HP) and having “significant concerns with the lack of progress,” the DMV decided to call it quits and do a rethink of the program’s direction. HP had apparently saw the handwriting on the wall. Its contract ended last November, and HP refused to hire key staff until the contract was renegotiated.

The DMV IT modernization program was started in 2006 in the wake of a previous DMV project failure (called Info/California) that blew through $44 million between its start in 1987 and cancellation in 1994. That “hopeless failure,” as it was then described, was supposed to be a 5-year, $28 million effort; when it was terminated seven years in, the project’s cost to complete had skyrocketed to an estimated $201 million with an uncertain finish date. A 1994 LA Times story reported that an assessment found the DMV had limited experience in computer technology, grossly underestimated the project’s scope and size, and lacked consistent and sustained management. The project's failure also sparked a full legislative probe.

The current DMV debacle, along with this month’s termination of the MyCalPay’s project, has spurred calls for yet another probe. Legislators could save a lot of time and money by just cutting and pasting from the the earlier project's investigation. I'm sure they'll find a lot of the same inexperience, underestimating, and inconsistent management.

Not all was lost in the current effort: at least a new system for issuing California drivers’ licenses was rolled out. However, the critical vehicle registration portion of the DMV system, with its decades-old “dangerously antiquated technology” (pdf), will have to stay in use while a new go-forward plan is developed.

Read More

IT Hiccups of the Week: U.K. O2 Mobile Customers Told To Be Careful What They Say

This week’s IT snafus and snarls have a definite international flavor to them. The first story takes us to the U.K., and a story of some “crossed lines.”

O2 Customers Complain About Eavesdropping on Calls

Last Tuesday, the Register ran a story about some Birmingham, England-area customers of U.K. mobile provider O2 being able to listen in on calls apparently originating in Scotland. According to the Register, customers started to complain about the “crossed lines” the previous week, but the weekend was nearly over before O2 was even able to confirm that this eavesdropping was indeed happening. Still, said O2 to the Register on Monday, it was “unable to replicate the problem despite having received ‘a handful’ of complaints.’”

Then a story in the London Telegraph said that the problem had spread beyond Birmingham to Scotland, Wales, and Liverpool, and potentially involved anyone using the O2 network in the affected areas.

On Thursday, a Daily Mail story reported that O2 had traced the problem to a network cable and card. The Mail quoted an O2 spokesperson as saying that, “We had a problem with a network card responsible for transferring call traffic in the Birmingham area which resulted in a handful of customers experiencing crossed lines during phone conversations...Our engineers identified that a cable linked to the card was not working correctly and fixed the problem at 6.15pm on Tuesday. We have been monitoring the situation closely with no further reported issues. We apologise for any inconvenience caused to our customers.”

During the eavesdropping interlude, U.K. financial expert Martin Lewis warned O2 and other wireless customers to be careful what they said, especially concerning their financial and personal affairs.  But according to the Register, this same problem has been intermittently reported by O2 customers since 2010, and Martin's opinion is probably good advice given that the U.K. security services want to snoop on all phone calls being made.

Read More

U.S. Agency Issues Call for National Cybersecurity Standards

In the post-Stuxnet world, the prospect of undeclared cyberwar has been dragged out of the shadows to the front pages. With that in mind, yesterday the U.S. National Institute of Standards and Technology (NIST) kicked off an effort to establish a set of best practices for protecting the networks and computers that run the country’s critical infrastructure. The Cybersecurity Framework was initiated at the behest of President Barack Obama, who issued an executive order calling for a common core of standards and procedures aimed at keeping power plants and financial, transportation, and communication systems from falling prey to any of a wide range of cybersecurity threats.

The first step, says NIST, will be a formal Request for Information from infrastructure owners and operators, plus federal agencies, local government authorities, and other standards-setting organizations. NIST says it wants to know what has been effective in terms of keeping the wolves at bay. To that end, it will hold a series of workshops over the next few months where it will gather more input. The agency says that when the framework is completed in about a year, it should give organizations “a menu of management, operational, and technical security controls, including policies and processes” that will make them reasonably sure that their efforts represent an effective use of their time and resources. 

Oddly, though, the press release announcing the development of the Cybersecurity Framework makes no mention that the final public version of a report titled, "Security and Privacy Controls for Federal Information Systems and Organizations" was released on 5 February and that the public comment period continues through 1 March.

Image: Linda Bucklin/iStockphoto

California’s Payroll Project Debacle: Another $50 Million Up in Smoke

Ah, I love the smell of napalmed IT projects in the morning!

Not, though, when they are government IT projects and the wafting odor is from taxpayer monies going up in smoke.  And unfortunately, for past few weeks, the stench of burning government IT projects has been especially pungent.

We start off in California, where after burning through some $50 million, California State Controller John Chiang announced last Friday he had decided to terminate the state’s US $89.7 million contract “with SAP as the system integrator for the MyCalPAYS system, the largest payroll modernization effort in the nation.” The planned 5-phase effort mercifully never made it past the first pilot phase.

Furthermore, Chiang said that the Secretary of the California Technology Agency (CTA)  has “suspended further work until the CTA and SCO [State Controller’s Office] together conduct an independent assessment of SAP’s system to determine whether any of SAP’s work can be used in the SCO’s go-forward plan to address the State’s business needs.”

You may remember that Chiang sent SAP a letter last October warning that the project was “foundering and is in danger of collapsing,” and gave SAP one last chance in the form of a demand for urgent get-well efforts from the company. Chiang claimed that there were errors in one out of every three tasks performed by SAP's system, and that there hadn’t been a single pay cycle without material payroll errors occurring.

In Friday’s announcement, Chiang threw in the towel. He said that while he had hoped “for a successful cure to SAP’s failure to deliver an accurate, stable, reliable payroll system, SAP has not demonstrated an ability to do so.” This was especially disheartening, Chiang implied, given that the SAP effort covered only 1300 SCO employees who had “fairly simple payroll requirements.”  There was no way the SAP system could be trusted to support the payroll requirements of the state's "240 000 employees, operating out of 160 different departments, under 21 different bargaining units."

SAP said in response to the news of its contract termination that it was “extremely disappointed in the actions. SAP stands behind our software and actions.... SAP also believes we have satisfied all contractual obligations in this project.”

All of this, of course, suggests that when the napalm smoke clears, a date in court will be in the offing. Chiang as much as said so in the announcement: “The SCO will pursue every contractual and legal option available to hold SAP accountable for its failed performance and to protect the interests of the State and its taxpayers. This includes contractually required mediation and, if necessary, litigation.”

An SCO spokesperson called the project’s performance “frightening,” but what must be really frightening to California taxpayers is the continued inability of the state to manage the acquisition of its IT projects. So far, nearly $254 million has been spent so far in two unsuccessful attempts to get a state government payroll system in place, the LA Times reports. If SAP fights instead of settles, it would at least be a public service, exposing the depth of California’s IT project risk mismanagement.

The upshot is that California will continue to use its decades-old Cobol-based payroll system until it figures out what to do next. And to help it figure that out, the SCO has—in the best tradition of government—set up an IT Procurement Task Force. Whenever in doubt, form a committee.

I hope the Task Force members have strong stomachs; the stench of IT project failure coming out of California is of the mephitis variety.

Read More

IT Hiccups of the Week: University of Wisconsin Loses Another $1.1 Million Amid Payroll Glitches

This week’s IT hiccups and snafus are a varied lot. We’ll start off with the University of Wisconsin’s ongoing payroll and benefits system saga.

$1.1 Million Lost Because of Glitches in UW Payroll System Glitches – More May Follow

The Wisconsin State Journal reported last week that “glitches” with the University of Wisconsin’s controversial payroll and benefits system had resulted in US $1.1 million in improper payments which the university may likely end up having to absorb. In addition, the Journal reported, University President Kevin Reilly warned that further examination of the payroll system “by system staff, an independent analyst and the state auditor are ‘likely to find more issues.’”

This news has not gone over well with Wisconsin state legislators, who were already upset when an audit by the Legislative Audit Bureau released late last month indicated that problems with the UW payroll system had resulted in $33 million in improper payments being made over the past two years. Another Journal article reported that while some $20 million of those $33 million in overpayments have been recovered, much of the remaining $13 million may well have to be written off.

When the $33 million in overpayments was first reported, UW's Reilly put out a statement that said in part, “I am deeply troubled by these mistakes…. We will identify exactly why and how these significant errors occurred, we will validate that steps we have already taken are working, we will take any additional steps that need to be taken, and we will make absolutely sure that similar errors do not happen again.”

Read More

This Week in Cybercrime: Former State Government Employee Used Driver’s License Database Access to Snoop on Thousands

Minnesota Government Employee Wrongfully Accessed Driver’s License Data

It’s hard enough to keep your personal information out of the hands of cybercriminals bent on using it to steal from you or fraudulently acquire things in your name. But it seems like there’s no hope when organizations you trust with your personal details—like the Minnesota Department of Public Safety—mishandle them. That was likely the case for roughly 5000 state residents who found out this week that a former state employee has been charged with illegally accessing the records associated with their driver’s licenses. The data thief, who was once the state's Department of Natural Resources Enforcement Division's administrative manager, was authorized to look at a resident's records when they related to his office’s official business. But between 2008 and last October, he used his credentials to query the state Driver and Vehicle Services database more than 19 000 times. He looked up the names of politicians, judges, county and city attorneys, police officers, news reporters, family members and other state employees. Most of his downloads were of women whose pictures appeared in the database.

According to a Kaspersky Lab Threatpost article, four people who have been notified that their records were wrongfully accessed are suing the alleged perpetrator and other state employees. “They said the data breaches caused severe emotional stress and physical harm and were the result of ‘lax policies and lax enforcement’ that allowed an unsupervised, unmonitored Hunt to continually access records for years,” says the Threatpost article.

Government Agencies, Military Among Users of Vulnerable Industrial Control System

What do the FBI, the Drug Enforcement Agency, the U.S. Marshals Service, the IRS, the U.S. Passport Office, the British Army, and Boeing, have in common? They are just a few of the thousands of organizations whose facilities depend on an industrial control system with a security hole that could allow attackers to remotely control critical building functions such as electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms. The vulnerability in the Tridium Niagara AX Framework was reported on 5 February at the Kaspersky Security Analyst Summit.

Billy Rios and Terry McCorkle, security researchers with Cylance, demonstrated a zero-day attack that yields access to the system’s config.bog file, which holds login credentials and other data for operator work stations, and controls the systems that are managed by them. The exploit, say Rios and McCorkle, takes advantage of a vulnerability that gave them root on the system’s platform. “The platform is written in Java, which is really, really good from an exploitation standpoint,” Rios told Wired. “Once we can own the platform, a lot of the other stuff is very, very straightforward [to attack],” said Rios.

Rios and McCorkle reported that a search turned up roughly 21 000 Tridium systems that were accessible over the Internet.

In a written statement, Tridium revealed that the researchers notified it about the vulnerability in December; it has been working on a patch, which it says it expects to release by 13 February. In an attempt to downplay the vulnerability, the statement noted that, “The vast majority of Niagara AX systems are behind firewalls and VPNs—as we recommend—but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk.” That’s a change of tune from Tridium’s stance just last year, when it told the Washington Post that its systems benefited from security through obscurity.

Tried-and-True Thieving Techniques Taken Up Again

Cyberthieves have developed sophisticated malware that can infiltrate a victim’s computer, allowing a thief to tap into online banking sessions initiated by customers in real time. Such malicious code is capable of conducting fraudulent transactions right under the victim’s nose and covering its tracks by updating the account balance and transaction history display in the victim’s browser. But because banks have developed countermeasures including software that detects anomalies in customers’ online access, some crooks are eschewing session hijacking and going back to the old and familiar: stealing login credentials for subsequent access from a separate computer. This shift was confirmed by researchers at security firm Trusteer, who reported this week that they noticed changes in the Tinba and Tilon financial Trojan programs. According to a 7 February blog post by Amit Klein, Trusteer's chief technology officer, the Trojans divert a customer attempting to access his or her bank’s website to a fake version. The rest is history, says Klein:

“Once the customer enters their login credentials into the fake page the malware presents an error message claiming that the online banking service is currently unavailable. In the meantime, the malware sends the stolen login credentials to the fraudster who then uses a completely different machine to log into the bank as the customer and executes fraudulent transactions.”

Now banks have to be on the lookout for both the new and (relatively) old-school techniques.

Adobe Releases Emergency Security Update

On 7 February, Adobe released a patch for its Flash Player meant to stop hackers from using two zero-day vulnerabilities to take over Windows PCs and Macs. Adobe was already planning to release a Flash Player update on 12 February, but because the software maker was “aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash content," it released the fixes as soon as they were ready. The other vulnerability was being used for so-called drive-by attacks that victimize computer users who navigate to a malicious website hosting an exploit.

UK Government Reasserts Its Right to Snoop on All Electronic Communications

Last April Fool’s Day, the BBC reported that the UK government was planning to introduce legislation that would allow the monitoring of all the “calls, emails, texts and website visits of everyone in the UK” by the Government Communications Headquarters (GCHQ) intelligence agency. The information would be monitored in real-time and then stored for two years before being erased. The government needed the monitoring capability, it said, to be able toinvestigate serious crime and terrorism and to protect the public.”

The government also promised that the legislation would “ensure that the use of communications data is compatible with the government's approach to civil liberties.”

It's good to see the tradition of doublethink is alive and well in the UK.

Almost immediately, members of even the government’s own party said that this legislation was a massive overreach and threatened civil liberties. Telecommunication and Internet providers weren’t too happy either, saying that the program was going to be expensive and a nightmare to implement.

A pre-legislative parliamentary scrutiny committee was set up to look into the feasibility of the proposed legislation, now being dubbed the “snoopers charter.” By late autumn, word was that the committee did not like what it saw and was preparing to say so in a report in early December. The UK Home Secretary, Theresa May, was aggressively pushing the legislation and on 3 December, upon hearing of the committee’s unflattering appraisal of it, launched a preemptive strike on the committee’s findings. She told the Sun newspaper that the legislation had to be passed, otherwise “we could see people dying” and “criminals going free” including “pedophiles who will not be identified.” She also warned of a reduction in “our ability to deal with this serious organized crime.”

May concluded, “Anybody who is against this bill is putting politics before people’s lives.”

However, the committee was unimpressed by May’s "you are either with us or against us" attack.  On 10 December, the Guardian published a story detailing the committee's determination that the legislation was unworkable as written, that it “tramples on the privacy of British citizens,” and further that the estimated cost of the effort of some £1.8 billion over 10 years was “fanciful and misleading.” Nick Clegg, the leader of the government’s Liberal Democrat coalition party, told May, “We cannot proceed with this bill and we have to go back to the drawing board."

So politics and common sense won out, at least for a little while.  There were warning signs that this wouldn't last, however. While May stated that she was “open-minded” about changing the legislation, the Guardian reported that she “remained determined to introduce it before the session ends next spring and get it on the statute book before the next election.”

This week May's snooping desires got a boost as the London Telegraph reported that the cross-party parliamentary Intelligence and Security Committee (ISC) has come out in support of the "snoopers charter," though it also warned that the “the government must do more to convince public of the need for them.”  Hmm, sounds like it time to beat the “it’s all for the sake of the children” drum a bit louder, or maybe, to say, a la Orwell, that the charter is needed as an “act of self-defense against a homicidal maniac.”

According to the Telegraph, the Director General of MI5, Jonathan Evans, said that without the legislation, “it was increasingly difficult to be confident that targets were being fully watched” because of rapid changes in communication technology. And in a related story at the Guardian, the Home Office claims that the charter is urgently needed as “there is already a 25 percent ‘capability gap’ between the tracking data that the security services need to access and their ability to do so.”

Evans did admit to the ISC, though, that the Home Office’s 25 percent figure depended upon some “pretty heroic assumptions,” the Guardian reported. In other words, it was most likely a number that made for a good news sound bite, but that the capability gap has little credibility indeed.

A story at the Daily Mail reports that the UK's intelligence service says it isn't interested in unfettered access to the content of every communication, and that its fetters would still be court orders, which it would continue to obtain. It just wants information on “who sends a message, where and how it is sent, and who receives it.”

Of course, with people's identities closely bound with their cellphones, and with all the GPS and other information that cellphones throw off these days, this metadata is often more important than the information content itself, much of which, by the way, can probably be inferred pretty quickly with advanced data analytics. And if the messages are passing though the communication channels being monitored by the U.S. National Security Agency, the contents can probably be provided to GCHQ without a UK court order request even being filed.

The Daily Mail article also points out that GCHQ isn’t worried whether the messages are encrypted, either. Apparently, it has “options” to deal with it.

How this all plays out, time will only tell. But the idea of a democratic government that maintains its belief in its citizens' right to privacy also claiming in the same breath it also has a right to snoop on all forms of electronic communication reminds me of another Orwell quote: “We have now sunk to a depth at which restatement of the obvious is the first duty of intelligent men.”

Image: iStockphoto

IT Hiccups of the Week: Digital Navigation Error Leads to Dismantling of U.S. Navy Ship

There was a real potpourri of IT-related glitches, snarls, and snafus to choose from last week. We start off with the lingering after-effects of the grounding of the USS Guardian on a Philippine reef—which we first noted a few weeks ago.

U.S. Navy Decides to Scrap Minesweeper Stuck on Ecologically Sensitive Philippine Reef

On 17 January, the U.S. Navy minesweeper USS Guardian ran hard aground on a reef within the protected Tubbataha Reefs Natural Park in Philippine waters where it remains stuck. A preliminary assessment indicates that the ship was following a National Geospatial-Intelligence Agency-supplied Coastal Digital Nautical Chart (DNC) that “misplaced the location of a reef by about eight nautical miles.” The reef is located in a UNESCO World Heritage restricted zone, and any damage caused to the reef is heavily fined.

The Navy had hoped that it could wrestle the USS Guardian free without too much damage to the reef or the ship, but those hopes were dashed when the 23-year-old wooden-hulled ship started taking on water.  As a result, the Navy decided that the best option was to dismantle the ship and remove it as three separate sections. A floating crane from Singapore is being brought in to help with the ship’s removal.

An interesting story last week at the website Maritime Accident Casebook indicates that the navigational snafu has been attributed to human error at the National Geospatial-Intelligence Agency (NGA). According to the story, the NGA decided to update its navigational charts in 2008 using  LANDSAT-derived imagery because of the age and uncertainty of information shown on the nautical charts in that area of the Pacific (some dating back to 1940 and 1942, an earlier MA Casebook article says). Some of the old charts even indicated the presence of “phantom islands.”

Quoting an NGA spokesperson, “One of these images included incorrect information about the location of the section of ocean that includes the Tubbataha Reef. At the time, no other source information existed to validate that imagery data. As a result, the reef was incorrectly placed in the DNC.”

Then, in 2011, the NGA became aware of the error, and corrected all the charts except one: that being the one for the area around the Tubbataha Reef. According to the NGA, this was a result of “a failure to follow established procedure.”

In the wake of the incident, the NGA has reexamined charts covering “more than 116 million square nautical miles of ocean” and found only one other error of a “magnitude similar to the misplacement of the Tubbataha Reef.” That one corresponded to an area off the coast of Chile. Mariners have been warned of the discrepancy.

The Navy expects that it will take about a month to remove the USS Guardian. The fine to be levied is unknown, but it is likely to be substantial. The political price may be substantial as well.

Technical Issues Hit Amazon, Bank of America, PayPal  and Twitter

A cluster of IT glitches last week hit some well-known companies. First, on Monday, there were reports that PayPal customers ended up being charged multiple times for their transactions over a period of about three hours. PayPal has strongly denied The Register's claims the problem lasted 15 hours. A story at FierceCIO says that the multiple-charge problem was the result of instant payment notifications that were delayed in being sent back to customers. The delay caused many customers to think their PayPal transactions didn’t go through, causing them to make one or more additional payments. PayPal says that, “All customers will be refunded for duplicate transactions as soon as possible.”

Then on Thursday, Amazon suffered a 49-minute outage that made its homepage inaccessible, although it said that its other pages were fine. Amazon has been closed-mouthed about what caused the outage, other than to say it wasn’t hacked nor was it a problem with its cloud. It has been estimated that the cost to the company will be around $5 million in lost revenue.

Also on Thursday, Twitter said in a message to its users that there were “intermittent issues affecting Web and mobile users, globally, between approximately 7:00am and 9:50am PST.” The message  went on to say that, “We apologize to users who were affected by this, and we’re working to ensure that similar issues do not occur.” The message did not say what those issues were.

In an apparently unrelated matter, Twitter then announced Friday that it had “discovered one live [security] attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information—usernames, email addresses, session tokens and encrypted/salted versions of passwords—for approximately 250,000 users.”

As a precaution, Twitter has “reset passwords and revoked session tokens for these accounts.” Affected users will be receiving an email asking them to reset their passwords; if you get one, just be careful it isn’t phish.

Also on Friday, Bank of America said that its electronic banking operations and telephone call centers were inaccessible. The Washington Post reported that the problem was caused by unexplained “technical issues” rather than a cyber attack. And according to a story at the BBC which coincidentally was published on Friday, no one should be surprised by similar outages at other banks this year because of the ever increasing complexity of banking software.

Another Week, Another Stock Market Gaffe

This week’s stock market gaffe happened Friday on India's National Stock Exchange. In this case, an error in the software being used by the brokerage Religare Capital Markets Ltd. caused TaTa Motors' stock price to fall by 10 percent. Religare was quoted by Bloomberg News as saying, “Due to some technical issue in the software, unintended transactions got executed.”

Bloomberg said that the error will likely cost the brokerage some 100 million rupees (around US $1.8 million).

Last year you may recall there was another trading glitch that caused the National Stock Exchange (NSE) Nifty index to plunge over 800 points in a few minutes, wiping out some $58 billion in value from the fourth largest market in Asia.

Saving London’s Iconic Black Cabs – At Least for Now

Finally, last October, I noted that Manganese Bronze, the maker of the iconic London black taxi, announced that it was going into administration—the U.K. version of U.S. bankruptcy law's Chapter 11. The reason was an accounting error that went unseen for over two years when the company switched to new accounting software. The result: the company understated by £3.9 million its historical losses. Given the poor economic health of the company and the intense competition in London’s taxi market, Manganese Bronze stock took a nosedive when the accounting error became public. It looked like only a matter of time before the company, which was then worth roughly £5 million, would go belly up.

Fortunately, last week, Chinese car manufacturer company Zhejiang Geely, which already owned 20 percent of Manganese Bronze, decided to buy the rest of the company and its assets for £11.04 million “through a newly established British subsidiary, Geely UK,” the London Telegraph reported. The new owners say they are “confident” the business will be profitable within three years.

I hope so. London wouldn’t really be the same without those black taxis.


Photo: Naval Aircrewman 3rd Class Geoffrey Trudell/U.S.Navy

This Week in Cybercrime: Hackers Break Into News Outlets’ Computers

Hackers Break Into News Outlets’ Computers to Peek at Reporters’ Notes

On 30 January, the New York Times reported on its site that it was the victim of a sophisticated campaign of cyberattacks aimed, it suspects, at uncovering the names of sources who provided information about the business dealings of Chinese Prime Minister Wen Jiabao and his family. (In fact, we’re learning that the Times was only the latest publication to have its systems raided, but more on that later.) According to the NYT article, Chinese hackers—who tried to cover their tracks by infecting and remotely controlling computers at U.S. colleges then using those compromised machines to send the malicious code—started snooping around the Times’ internal networks as early as 13 September. This after word got out that journalists at the daily’s Shanghai bureau were conducting research into how Wen had amassed a fortune worth billions. According to a researcher at Mandiant, the computer security company the paper hired to exorcise the malicious code:

“[The hackers] set up at least three back doors into users’ machines that they used as a digital base camp. From there they snooped around The Times’s systems for at least two weeks before they identified the domain controller that contains user names and hashed, or scrambled, passwords for every Times employee.”

Mandiant discovered that the hackers used the passwords to access the computers of 53 Times employees. But Times Executive Editor Jill Abramson, who was quoted for the story, says, “Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied.” The Times was also quick to offer reassurance that no customer data was stolen. But what the hackers did in fact take is still an open question.

Even after the article about Wen was published on 25 October, the hackers continued snooping. The Times article references a December intelligence report prepared by Mandiant. The security firm had uncovered evidence that the “Chinese hackers had [from as far back as 2008] stolen e-mails, contacts and files from more than 30 journalists and executives at Western news organizations, and had maintained a ‘short list’ of journalists whose accounts they repeatedly attack.”

That assessment was confirmed on 31 January, when the Wall Street Journal admitted that hackers trying to monitor the newspaper's coverage of China, hacked into its systems. Bloomberg says it was targeted after publishing an article last June about Xi Jinping, China’s then vice president and current general secretary of the country’s Communist Party. But Bloomberg says that although its computer systems came under attack, they were never breached.

Thousands of Networked Gadgets Double as Gaping Security Holes

Computer World is reporting that faulty implementation of the Universal Plug and Play (UPnP) protocol standard has turned millions of network-enabled devices such as routers, printers, media servers, and even smart TVs into gateways through which hackers can get inside firewalls. On 29 January, security researchers from Rapid7 released a research paper in which they noted that more than 20 percent of the 80 million unique IP addresses they pinged exposed the UPnP Simple Object Access Protocol service to the Internet. This allows one networked device to discover another and remotely turn on the other gadget’s data sharing, media streaming, media playback control and other services. The Computer World article explains that:

“In one common scenario a file-sharing application running on a computer can tell a router via UPnP to open a specific port and map it to the computer's local network address in order to open its file-sharing service to Internet users.

Many had UPnP implemented through a library called the Portable UPnP SDK. Unfortunately, as the Rapid7 researchers discovered, UPnP SDK contains eight remotely exploitable vulnerabilities. Two of them can be used to inject code remotely.

The upshot: More than 23 million networked devices exhibited this vulnerability during the test. Rapid7 told Computer World that a patch has been released, but the firm’s chief security offer predicted in a 29 January blog post that “it will take a long time before each of the application and device vendors incorporate this patch into their products.”

The slow-to-update problem, says Rapid 7, also affects users of a UPnP library called MiniUPnP, which can be exploited for denial of service and remote code execution attacks. New versions released in 2008 and 2009 don’t contain those security holes. But according to Rapid7, 14 percent of the Internet-exposed UPnP devices it pinged were still using MiniUPnP 1.0 and were thus still vulnerable. Though Rapid7 has released a free tool called ScanNow for Universal Plug and Play, and a module that detects vulnerable UPnP services running inside a network, many vulnerable devices will remain unpatched.

“Many PC users don't even update PC software that they frequently use and are familiar with,” Thomas Kristensen, chief security officer at vulnerability research and management firm Secunia told Computer World. “The task of finding the Web interface of a vulnerable networked device, obtaining the firmware update and going through the whole update process will likely be too intimidating for many users,” he said.

Want to Use a Plug-in on Firefox? Ask For It

Mozilla announced this week that it would automatically disable all plug-ins in Firefox except the latest version of Adobe's Flash Player. In order for any plug-in to run, the user will have to manually override the block. This feature, which Mozilla calls “click-to-play,” used to bar only plug-ins that the Firefox browser judged to be unsafe or too far out of date. The move comes on the heels of numerous reports of hackers taking advantage of bugs in plug-ins, particularly the Java browser plug-in. The makers of other browsers such as Chrome and Opera include the click-to-play feature. But Mozilla is the first to turn it on by default. The others require the user to enable it.

Yahoo Mail Hijacking Case Solved

Security researchers at Australia-based BitDefender say they have gotten to the bottom of how some Yahoo Mail accounts have been hijacked over the past month. It seems that a link that is supposed to take them to an MSNBC News site, connects them with a domain registered in the Ukraine. Javascript that finds the user's contacts and sends spam under his or her name is placed on those pages so that its almost impossible not to click on it.

Bill Shocker Malware Spreading Like Wildfire in China

It was revealed this week that a new piece of malware dubbed “Bill Shocker” has infected at least 600 000 mobile devices in China. The malicious code, which targets several of the most popular mobile apps in China, including Tencent QQ Messenger and Sohu News, sends spam to the users’ contact lists—often costing mobile device users a lot of money by going beyond the number of messages included in the unsuspecting users’ messaging plans. In a 30 January blog post, Beijing- and Dallas-based NQ Mobile said that the malware can update itself and "automatically expand to other apps, multiplying the potentially disastrous effects.”

Photo: Jleon/Wikipedia


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More