Risk Factor iconRisk Factor

Computer Technology Impact on 2013 Society as Predicted in 1962 and 1988

I am always on the lookout for stories featuring past predictions of the future impacts of technology on society and how closely they mirrored reality. So I was quite happy to find a couple of recent articles, one in BusinessWeek and the other in the LA Times, discussing technology predictions made by the CIA in 1962 and by a group of futurologists in 1988.

The CIA predictions involved a speculative piece, recently released, concerning how computers might impact future U.S. intelligence gathering, data processing and analysis. The paper was written by CIA analyst Orrin Clotworthy and entitled, “Some Far-out Thoughts on Computers” which was originally published in the agency’s Studies in Intelligence in 1962. In his paper, Clotworthy wrote that there was “rising optimism” to think that behavioral scientists would someday be able to use computers “to foretell the behavior of large groups of people within reasonable limits, given accurate and timely measures of certain telltale factors.”

Clotworthy also speculates that computers could be programmed by the year 2000 to perform as a “stand-in brain” that could test out different scenarios and make predictions of the behaviors of foreign leaders. He goes on to note while storage of the information needed for such a “stand-in brain” might pose a difficult problem, getting all the data required could be “obtained with relative ease.”

Makes one think about how much access the CIA had to personal, corporate and governmental data domestic and foreign back then. As a side note, Reuters reported two weeks ago that the Obama Administration is drawing up plans to allow “all U.S. spy agencies full access to a massive database that contains financial data on American citizens and others who bank in the country.”

Read More

IT Hiccups of the Week: Hundreds of Thousands Hit By U.S. Tax Filing Glitches

We had another interesting mixture of IT-related glitches, snarls, and snafus to choose from last week. We start off with U.S. taxpayers who will be waiting for their tax refund checks a bit longer than expected because of problems with some companies’ tax software products.

H&R Block and Other Tax Software Product Problems Delay Tax Refunds for Over 600 000

According to several news reports, H&R Block, one of the world's largest tax services providers, which files about 1 in 7 U.S. tax returns, announced on its blog that there was “a disconnect in the transmission of form 8863 from our delivery system to the IRS [Internal Revenue Service] E-file system”. That disconnect caused a delay in its customers getting their tax refunds. Federal Form 8863 (American Opportunity and Lifetime Learning Credits) is used to claim two higher education credits. Over 600 000 H&R Block customers who had their forms filed between 14 February 22 February  are said to be affected, a story at the Washington Post reports.

Part of the problem lay with the IRS – or more specifically actions by the U.S. Congress – which delayed this year’s filing period and required changes to Form 8863. Both actions apparently caught H&R Block and “a limited number of software company” product developers off-guard, the IRS said. The tax software problems have reportedly been fixed, but refunds might be delayed by up to 8 weeks in some cases.

In another problem, about 10 days ago, Minnesota tax officials said that anyone using Intuit’s TurboTax software to file their state tax returns could be filing erroneous tax returns. At first, Intuit downplayed the errors claiming that they affected only non-obligatory tax issues such as donating $5 to a political party, but state officials countered last Monday by saying that there were about a dozen problems with the TurboTax software, most affecting tax computations, Minnesota Public Radio (MPR) reported.

Within a few days of the state's announcement, Intuit claimed that its tax software was fixed and said that only 10 000 filers were affected. However, state tax officials told MPR that as of Friday, “it still isn't sure flaws in Intuit's TurboTax tax preparation software have been fixed.” The state is still telling residents not to use TurboTax until it has fully tested out the software. It also said that some14 000 tax returns using the software have been found to contain software-related errors.

Intuit says that it “will issue refunds to affected Minnesota state TurboTax customers for the full amount of their tax preparation fees.” Somehow, I don't think that will appease many filers who will now need to file amended returns.

Billing Problem Affect 145 000 Customers of EnergyAustralia

The Australian reported last week that problems with the introduction of EnergyAustralia's new IBM developed billing system has meant that some 145 000 customers have not been billed for their electricity or gas usage on time, including 21 000 that have not been billed at all. The Australian says errors in the new billing system are apparently higher than anyone expected.

The Australian quotes a source as saying, “The backlog is caused by IBM middleware (software) unable to handle sales files sent by third parties such as distributors. Due to inadequate validity checking, errors are created and the IBM team in India is woefully undermanned to handle the workload. These errors have to be manually fixed, which has resulted in a growth in the backlog.”

EnergyAustralia acknowledges the system is undergoing “teething problems” and that IBM has doubled its support staff to handle the problems. The energy company also insists, however, that it’s only a “small number of customers who haven’t had the best experience.”

EnergyAustralia has about 1.25 million residential and business customers.

Montreal Métro System Shuts Down

Last Wednesday, as feared, all four lines of Montreal’s Métro System shut down completely over the lunch hour because of known software problem in a critical main computer system server. According to a story in the Montreal Gazette, a series of Métro System shut-downs early last summer revealed that a there was an “unstable server” which is “part of the main computer system used to operate the métro.” The server is used to send and receive information from “most of the systems in the métro,” Montreal’s transit agency officials stated.

A software patch was installed last July, but métro engineers determined in October that a “more complex patch” was required.  The patch has been under-development since then and is scheduled to be installed late this month or early in April.

However, on Wednesday morning,  engineers noticed that the server’s software was becoming unstable again and was passing “bad data” to the main computer system. The engineers planned a controlled shutdown of the métro a little after noon for about 10 minutes in order to go to the back-up system. Unfortunately, the métro’s main computer system shut itself down before the engineers did as the “server gave bad data to the system and saturated the memory” of the computer. This uncontrolled shutdown complicated things, transit agency officials said.

It took over an hour to restore finally service.

Montreal’s transit agency officials apologized once again to métro riders, who have suffered outages in January and February as well. Agency officials promise the system will be better once the new software patch is put into place.

Yet Another Tesco Pricing Glitch

Given their regularity, it almost seems that U.K. retailer Tesco is deliberately creating pricing glitches to attract customers to its stores. As reported by the Telegraph, the latest pricing glitch “allowed shoppers to buy one product and get three free on 500g packs of I Can't Believe It's Not Butter (ICBNB) and multipacks of Danone Onykos yogurts.” According to the Telegraph, the pricing error worked both in the store and on-line. One shopper claimed to have paid just £9 for yogurt worth £133.

A Tesco spokesperson said that it was supposed to “be a simple buy one get one free offer” but an “IT error” was responsible for the unintended “unbeatable value.”

Last month, another Tesco pricing error showed up on in-store ads in relation to Thorton’s Premium Collection Chocolates. Here, however, the error turned a 50 percent off a £7 box deal instead into a final price of £7.35 a box.

You win some, you lose some.

Woman Arrested After Spending Money Due to Pay Error

There was a story from radio station WTAQ Wisconsin about a woman in Wisconsin being arrested for spending some $10 000 paid to her by mistake by her former employer.

According to WTAQ, the woman worked for the Stein Garden Center in the City of Oconomowoc and normally earned $8.25 an hour for her labors. However, a computer error changed it to $88.25 an hour.  Apparently, on receiving a windfall of $10 000, she decided to quit her job rather than tell her employer of the error.

About a month after she quit, her employer found the error and wanted the money back. The woman allegedly told the company she didn’t know anything about an error in her pay. When a police detective was called in to investigate, she then told him that she “thought the money had come from her aunt and she had already spent it on a new roof for her home.”

She later acknowledged receiving the money in error, but that “she had no intention of repaying it” since “it was the company’s mistake – not hers.”

The woman was charged, I assume with felony theft, and faces six years in prison if convicted, WTAQ reported.

Connectivity Problems Shut Down Newly Opened NHS Trust Surgery

In a bit of an oddball story, the UK press last week reported on a brand new £300 000 National Helath Service (NHS) Trust doctors' surgery in Westbury-on-Severn, Gloucestershire that was shut down four hours after it opened 14 January because of “serious computer connectivity problems.” The  problem remains unsolved as of today.  According to the BBC, an NHS Gloucestershire spokesperson said, “Both the practice and NHS Gloucestershire have been making every effort to resolve the situation as quickly as possible, and the PCT's IT team has been working with to establish the cause of the problems. We are now very close to resolving the connectivity issues and the [Primary Care Trust] will be meeting with the surgery next week to finalise the options.”

What wasn’t explained in any of the press stories is how such a “connectivity problem” was somehow overlooked before the surgery was opened.

Glitches for Sale

Art based on digital glitches has been around for a while. Now, you can buy a storage unit that looks like it is suffering from a really big glitch. Created by designer Ferruccio Laviani and sold by Italian furniture supplier Fratelli Boff, the “good vibrations” storage unit is said to reflect “a balance between the past and the future, blending the harmony and magniloquence of the classical with the charm and allure of the contemporary” as well as to exemplify “the harmonious juxtaposition of the languages and cultures it is based upon.”

“Echoes of faraway places and Oriental elements are glimpsed in the ‘disorienting’ design of this storage unit, which seems to have been ‘deformed’ by a strong jolt or by swaying movements. Although it appears to depart from the aesthetics of the past, in fact it draws upon ancient knowledge in the use of carving and fine wood workmanship. The appeal of this extraordinary piece of furniture lies in its ability to overturn and question classical stylistic principles such as purity, cleanness and symmetry, while evoking a comforting feeling of deja-vù and a sort of primitiveness, matched by unquestionable craftsmanship.”

Okay, then… to each their own (although I must admit that I harbored some thoughts about this just being an elaborate publicity stunt).

If glitch furniture doesn’t appeal, you can always buy some limited edition US $350 Glitch Textile blankets. The blankets’ patterns, the company says, “are generated using images taken with short circuited cameras and other unorthodox digital techniques.”

These I find much more appealing.

Photo: Scott Eelis/Bloomberg/Getty Images

This Week in Cybercrime: Hackers More Dangerous than Al Qaeda?

U.S.: Hackers More Dangerous than Al Qaeda

It seems that cybercriminals and politically motivated cyberattackers have vaulted to the top of the list of security threats to the United States. On Tuesday, James R. Clapper, the nation’s director of national intelligence told a Senate committee that hackers not affiliated (or at least not directly linked) with another nation-state could very well infiltrate the raft of poorly secured U.S. networks that control critical infrastructure such as power generation facilities. To impress upon the legislators the seriousness of the threat, he ranked cyberattacks ahead of the brand of terrorism practiced by Al Qaeda. Later in the week, Gen. Keith Alexander, the head of the Defense Department's new U.S. Cyber Command told another collection of senators that his group is setting up its own hacker teams equipped to retaliate in the event of a major cyberattack on U.S. networks. Coincidence? Not likely, says a Tech News World article that considers the congressional testimony to be part of a shift in U.S. military strategy “pointing toward a renewed emphasis on the nation's digital defenses.” The coordinated meet and greets, say some observers, simply indicate a rejiggering of the executive branch’s funding wish list.

“The problem is not so much that cyberattacks are suddenly worse than they've been, but rather that [online attacks’] relative standing as a threat continues to rise as Al Qaeda is further dismantled,” Andrew Braunberg, a research director at information security research firm NSS Labs, told Tech News World.

U.S. Cyberattack Sentry Shut Down

Also just in time to make the U.S. government's point about the cyberattacks was the revelation this week that the NIST National Vulnerability Database (NVD), the government’s clearinghouse for information on malware and cyberattacks, was hacked and has been out of commission since last Friday. Security researchers apparently found malware on two NVD servers. But in an ironic twist, the site, which is set up to issue warnings when new viruses are propagating across the Internet, failed to sound the alarm about its own security problem.

According to a Business Insider article, Finnish security researcher Kim Halavakosk wondered why it has taken so long to get the site back up, so he e-mailed NIST to find out. He posted a response from a NIST PR rep to his Google+ account. The reply e-mail summed up the situation but offered few details regarding how the hackers got in. But the PR person was quick to assure the public that:

“Currently there is no evidence that NVD or any other NIST public pages contained or were used to deliver malware to users of these NIST Web sites. NIST continually works to maintain the integrity of its IT infrastructure and acts to limit the impact of malware on its systems. We regret the impact this has had on our services.”

Is Your Android App Spying on You?

On Wednesday, the Data Center of China Internet (DCCI) released a report that should make all Android phone users suspicious of what’s lurking inside their handsets. According to the report, roughly 35 percent of Android apps sold in China secretly steal user data even when the information has not in any way related to the app’s function. Although the 1400 apps the research institute looked at were mostly sold at Chinese app markets that Google doesn’t control, it still illustrates cybercrooks’ focus on Android as well as the operating system’s vulnerability (especially the myriad jury-rigged versions that are steadily taking over China’s mobile device market).

Apparently up-to-the-minute information on where people are is becoming a big quarry for cybercriminals. DCCI found that more than half of the apps tracked users’ locations. More than 20 percent rifled through users’ address books, while others read call records, and text histories. But the most unnerving thing may be the capability of some of the apps DCCI looked at to secretly send texts and make calls right under the user’s nose.

Ovum analyst Shiv Putcha summed it up best when he noted in a blog post that, “Android is fragmenting beyond Google’s control, and Google’s Android strategy is rapidly coming undone in China with no immediate prospects for correction.”

Major Phishing Campaign Targets Australian Banking Customers

Early Thursday morning, hundreds of thousands of Australians woke up to malware-laced e-mails in their inboxes. The message, crafted to seem like it came from Westpac, Australia’s oldest bank, carried the subject line "Westpac Secure Email Notification" and the sender address "secure.mail@westpac.com.au". It instructed recipients to open an attachment that would unleash a virus. Security firm MailGuard, which identified the e-mails as fraudulent by 9:30 that morning, told the Sydney Morning Herald that by the middle of that afternoon, it had blocked more than 300 000 of the bogus alerts routed to its clients' inboxes. The first wave of messages went largely undetected, says MailGuard, because they originated from more than a thousand unique source IP addresses—many of them outside Australia.

Photo: Peter Dazeley/Getty Images

If At First You Don’t Succeed, Recall Your Product

Heaven forbid you’re cruising down the road in your new car and discover at the worst possible time that the passenger side airbag is inoperable. To avoid having its customers suffer that fate, Nissan is recalling thousands of vehicles across several model lines. The automaker filed a document with the U.S. National Highway Traffic Safety Administration (NHTSA) on 13 March indicating its plans to have drivers of 2013 model year Altimas, Pathfinders, Sentras, the Nissan Leaf electric vehicle, and the JX35 crossover SUV (from the automaker’s Infiniti luxury marque) bring them into dealers to have them inspected.

Nissan told NHTSA that the problem stems from improperly made sensors that are part of the occupant detection system that tells the airbag whether or not the passenger seat is empty—or that the passenger is a child or small adult, in which case it shouldn't fire because they might be seriously injured by the force of the bag inflating. The sensors are, in other words, essential to the airbag's do-no-harm mandate, a flawed sensor may improperly indicate that the airbag's deployment conditions have been met.

According to an article in USA Today, Nissan says it discovered the problem at its Tennessee manufacturing plant, where some vehicles rolling off of assembly lines had airbag warning lights illuminated.

Here's another thing you don't want happening as you cruise down the highway: sudden braking without your having pressed the pedal, or hard braking when you intend only to slow down slightly.

Within a day of Nissan’s recall announcement, Honda revealed that it is recalling nearly a quarter million vehicles because of an electrical problem that causes those very conditions. Honda was pushed into issuing the recall after a NHTSA investigative report said the likely culprit of the unintended braking is an electrical capacitor [pdf] that causes the brake assist feature of Honda cars’ stability control system to randomly kick in. Brake assist, a safety feature intended to reduce stopping distance in emergency braking situations, is integrated with traction and stability control, which selectively apply torque and braking to each of the vehicle’s wheels.

Read More

IT Hiccups of the Week: Royal Bank of Scotland Angers Customers Yet Again

There was wide variety of IT-related snafus, glitches and uffdas this past week. We start off with an oldie but goodie: another IT glitch at the Royal Bank of Scotland and its subsidiaries.

Hardware Fault Affects Customers of Royal Bank of Scotland Group

Last summer, you may recall, a software update that went awry took out the IT systems supporting the Royal Bank of Scotland and its subsidiaries, NatWest and the Bank of Ulster, for quite some time; in the case of Ulster Bank, nearly two months went by before its IT systems were finally stabilized and customers had unfettered access to all their accounts. Needless to say, RBS Group customers were not amused by the long “disruption and inconvenience” as RBS Group chairman Stephen Hester called it. RBS promised its customers as well as the government that it would take steps improve the reliability of its Banking systems. Some £175 million (US $263 million) was eventually spent on customer compensation and system improvements.

Well, RBS Group managed once more to inconvenience its customers, which number 17.5 million, last Wednesday evening when a “hardware fault” disrupted access to all customer accounts. According to various news outlets such as the Financial Times, all three banks’ customers could not access ATMs, use RBS Group issued credit cards, or access any online or telephone banking services.  Some customers, the BBC reported, alleged that the ATM machines ate their banking cards as well.

RBS claimed that the hardware error—which it says was not related to the 2012 event—was fixed within about three hours, although some customers were still complaining of problems with accessing their bank accounts well into Thursday morning. RBS, which is getting very practiced at it, issued an apology Thursday morning “for the disruption our customers experienced” and promised to help customers who faced any problems because of the outage.

The apology hardly mollified RBS Group customers, especially when, in a bit of bad timing, it was disclosed on Thursday morning that RBS Chairman Hester would be receiving a bonus worth £700,000. Many customers were angrily asking, “For what?”

Three States Experience DMV Issues

Last week, the Motor Vehicles Departments in Georgia, Texas,  and Kansas all reported having IT problems.

Read More

This Week in Cybercrime: Judge Upholds LinkedIn's "If You Put It on Our Site, Don't Blame Us If It Gets Out"

LinkedIn Not Liable

Earlier this week, a U.S. District Court in Northern California dismissed a class action lawsuit accusing LinkedIn of failing to deliver the level of security the plaintiffs say the social networking site’s privacy policy promised. A June 2012 data breach resulted in more than 6 million LinkedIn passwords being posted online. A few weeks later, a woman from Illinois and a woman from Virginia filed the suit—after learning that LinkedIn had encrypted the passwords with an outdated algorithm. Judge Edward Davila noted that the suit should not proceed to trial for several reasons. The plaintiffs, he said, wrongfully assumed that by paying for the site’s premium upgrade, they were entitled to a higher level of encryption for their data than users of the free version. Davila pointed out that, although the accusers admittedly never read the site’s privacy policy, it read,

“…we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information.”

The judge also failed to see how the posting of the passwords had, as the plaintiffs claimed, caused any economic harm or put them at future risk of identity theft.

Google’s Ups and Downs

It seems that the one-year anniversary of Google Play is not turning out to be the auspicious occasion Google had likely imagined. On Wednesday, the KrebsonSecurity.com blog reported that a new botkit is being used to trick Android users into downloading fraudulent banking apps capable of intercepting multifactor authentication messages from banks. The apps then send text messages with the purloined login credentials to the phony apps’ creators. That news appeared in the context of data that Google itself released on the Android developer blog showing that Android users can’t help but be plagued by malware. Google admitted that, based on data gleaned from mobile devices that accessed its app store during the two-week period that ended on Monday, only 16 percent of Android users have bothered to update their operating systems to the newest, safest versions. More than 40 percent of people with Android mobile devices still run a two-year old version known as Gingerbread. Kaspersky Lab, which keeps track of attempted malware installations on Android, reported that as of the end of 2012, Gingerbread was the most commonly targeted version of Google’s OS. (A SecurityLedger.com article notes that Apple, by contrast, has no such migration problems with its gadgets; 98 percent of all iPhone and iPad users run one or the other of the latest two iterations of iOS.)

The news isn't all bad about Google, though. The search-and-now-just-about-everything-else company did something this week for which it should be lauded. It struck a blow against the U.S. government surveillance program that has expanded rapidly since the passage of special laws that allow agencies such as the FBI to much more easily demand information from Internet service providers, credit bureaus, banks, and businesses like Google—all without a warrant. The demands for information, called National Security Letters (NSLs), come with a built-in gag order barring the companies receiving them form even mentioning that they’ve received them. But on Tuesday, Google became the first company to give a hint of the extent to which the FBI uses this authority. It published a document giving ballpark figures for the number of accounts for which it turned over information in a given year. For instance, it reported that in 2010 it divulged information on “2000–2999” customers; in 2009, 2011, and 2012, the range was “1000–1999.”

Although the U.S. Congress requires the FBI to disclose the number of times it issues NSLs (it sent out more than 16 000 in 2011), Google didn’t report exact numbers. “This is to address concerns raised by the FBI, Justice Department and other agencies that releasing exact numbers might reveal information about investigations,” Richard Salgado, a Google legal director, wrote in a blog post. But at least the existence of the NSLs and the potential for abuse is out in the open. The FBI continues to have this power to say information about you is “relevant” to an investigation and get unquestioned access to records—even after a 2007 Justice Department inquiry revealed that after the September 2001 terrorist attacks, the FBI regularly ran afoul of the relaxed rules regarding the acquisition of evidence.

U. S. Electronic Health Record Initiative: A Backlash Growing?

There seems to be a slow but steady backlash growing among healthcare providers against the U.S. government’s $30 billion initiative to get all its citizens an electronic health record, initially set to happen by 2014 but now looking at 2020 or beyond. The backlash isn’t so much about the need for, or eventual benefits of, electronic health records but more about the perceived (and real) difficulties caused by the government's incentive program and a growing realization of the actual financial and operational costs involved in rolling out, using, and paying for EHR systems.

The backlash began to publicly surface last September when the U.S. government accused healthcare providers of “upcoding,” i.e., claiming with a single click on a field in a electronic health record to have provided a medical service or procedure when it wasn’t really performed. Kathleen Sebelius, the current HHS Secretary, and Eric Holder, the Attorney General, sent a letter to five major hospital trade associations (pdf) warning them that electronic health records were not to be used to “game the system” and “possibly” obtain “illegal payments” from Medicare. The letter said that Medicare billing is being scrutinized for fraud, and implied that those using EHRs to bill Medicare will be scrutinized even more carefully.

Healthcare providers were outraged by accusations in the letter, and said that the reason for the increased billing was that EHRs facilitated billing for services they used to provide to the government without charging for them.

About the same time, professors Stephen Soumerai from Harvard Medical School and Ross Koppel from the University of Pennsylvania wrote an article for the Wall Street Journal contending that EHRs don’t save money as claimed. They wrote that, “…. the most rigorous studies to date contradict the widely broadcast claims that the national investment in health IT—some $1 trillion will be spent, by our estimate—will pay off in reducing medical costs. Those studies that do claim savings rarely include the full cost of installation, training and maintenance—a large chunk of that trillion dollars—for the nation's nearly 6000 hospitals and more than 600 000 physicians. But by the time these health-care providers find out that the promised cost savings are an illusion, it will be too late. Having spent hundreds of millions on the technology, they won't be able to afford to throw it out like a defective toaster.”

The professors went on to say that, “We fully share the hope that health IT will achieve the promised cost and quality benefits. As applied researchers and evaluators, we actively work to realize both goals. But this will require an accurate appraisal of the technology's successes and failures, not a mixture of cheerleading and financial pressure by government agencies based on unsubstantiated promises.”

Read More

IT Hiccups of the Week: NASA Rover Curiosity Placed Into Safe Mode

It’s been a fairly quiet week in regard to IT glitches of any major significance. That said, there were still a sufficient number of snarls, snafus and errors to interfere with work as well as generally upset, annoy and outrage a lot of people. We start off this week's review with an issue affecting NASA’s $2.5 billion Mars rover mission.

NASA Curiosity Goes into Safe Mode Due to Memory Issue

Responding to a problem it detected Wednesday morning with the data coming from the Mars rover Curiosity, NASA announced on Thursday that it had “switched the rover to a redundant onboard computer in response to a memory issue on the computer that had been active.”

NASA said that it will shift the rover from its current “safe mode” operation to full operational status over the next few days as well as troubleshoot what is causing the “glitch in flash memory linked to the other, now-inactive, computer.”

The NASA press release stated that on Wednesday the rover communicated "at all scheduled communication windows…but it did not send recorded data, only current status information. The status information revealed that the computer had not switched to the usual daily ‘sleep’ mode when planned. Diagnostic work in a testing simulation at JPL indicates the situation involved corrupted memory at an A-side memory location used for addressing memory files.”

A detailed story at CNET quoted Curiosity Project Manager Richard Cook as telling CBS News that, “We were in a state where the software was partially working and partially not, and we wanted to switch from that state to a pristine version of the software running on a pristine set of hardware.”

The project team thinks that space radiation, while a remote possibility, may in fact be to blame, CNET said. Again quoting Cook:

“In general, there are lots of layers of protection, the memory is self correcting and the software is supposed to be tolerant to it…But what we are theorizing happened is that we got what's called a double bit error, where you get an uncorrectable memory error in a particularly sensitive place, which is where the directory for the whole memory was sitting…So you essentially lost knowledge of where everything was. Again, software is supposed to be tolerant of that...But it looks like there was potentially a problem where software kind of got into a confused state where parts of the software were working fine but other parts of software were kind of waiting on the memory to do something...and the hardware was confused as to where things were.”

Cook indicated that, in essence, a reboot of the inactive computer should clear things up, but that the team will do a lot of analysis before that happens to make sure that there isn’t anything more troublesome lurking about.

Read More

This Week in Cybercrime: Stuxnet Two Years Older Than Previously Believed

Stuxnet’s Development Program Was a Long Thought-Out Process

On Tuesday, researchers from Symantec’s Security Response team released a report offering proof that the Stuxnet worm that targeted industrial facilities in Iran—most especially the Natanz uranium enrichment facility suspected to be part an Iranian effort to produce nuclear weapons— is two years older than previously thought. The 18-page report reveals that development of the malware dates back to 2005, although it first appeared in the wild in 2007. It wasn’t identified until July 2010. What explains the two-year lead time? An extended refinement process was probably part of what made Stuxnet and its precursor, Flame, so sophisticated. The exploits these bits of malware pulled off without attracting attention were "nothing short of amazing," Mikko H. Hypponen, chief research officer for F-Secure, a security firm in Helsinki, Finland, told IEEE Spectrum. Furthermore, says Hypponen, "You need a supercomputer and loads of scientists to do this." Symantec acknowledges that Stuxnet, which was designed to “take snapshots of the normal running state of the system, replay normal operating values during an attack so that the operators are unaware that the system is not operating normally... [and] prevent modification to the [compromised system] in case the operator tries to change any settings during the course of an attack cycle” is among the most complicated coding ever seen.

For more on how Stuxnet really worked and on the efforts to track it down, see "The Real Story of Stuxnet" in this month's issue of IEEE Spectrum.

Advanced Malware Escapes Sandbox with Help from Twitter

New malware designed to steal sensitive information exploits a patched sandbox-bypass vulnerability in Adobe Reader. The malicious code, dubbed MiniDuke by the researchers at Kaspersky Lab and CrySyS Lab, who discovered it and released a report about it this week, has attacked the systems of government agencies in 23 countries, mostly in Europe. Among its novel features are the use of steganography to hide the code it uses to create, then slip in and out of backdoors in the compromised systems; the ability to assess whether a computer is in use; and the ability to determine what detection capability the machine has. MiniDuke can also reach out to Twitter accounts created by the attackers to access tweets seeded with information pointing to command and control servers offering continually updated commands and encrypted backdoors. MiniDuke successfully bypassed the sandbox protection in Adobe Reader despite a patch meant to cover the vulnerability added on 20 February.

Read More

West Virginia Taken to the Cleaners by Cisco

There was a great story over at Ars Technica this week regarding a recently published special audit report (pdf) by West Virginia’s Legislative Auditor regarding the state’s purchase three years ago of 1164 Cisco model 3945 routers at a price of US $24 million using federal stimulus funds (a tip of the hat to a Risk Factor reader for bringing this to our attention in a comment to a recent post).  The auditor concluded that not only did the purchase bypass the state’s competitive purchasing rules for IT equipment; the state bought far more capability than it would ever need now or in the foreseeable future, and at non-competitive prices to boot. 

The audit report, for example, gives as an example the “city of Clay in Clay County [which] received 7 total routers to serve a population of 491. Five of these routers are located within .44 miles of the each other.” The cost of those seven servers—each of which can support 200 simultaneous users—was around $20 000 apiece.

The auditor noted that over $6.6 million was spent on Cisco model 3945 router features that weren’t necessary to begin with. Furthermore, if the state had actually purchased the correctly sized routers, it could have saved at least another $8 million or so. I say at least, because that number is based on router prices quoted in a non-competitive bidding environment—holding a competition that included other router manufacturers (Alcatel-Lucent, Brocade, HP, Juniper, et al.) would have likely saved even more money. For each $5 million saved on routers, the state could have purchased 104 additional miles of needed broadband fiber, the auditor noted.

I name those manufacturers specifically because the West Virginia audit report points to “California State University, the largest four-year university in America, [which] used a competitive bidding purchase to purchase an eight-year refreshing of its 23-campus 10G network. The Director of Cyber Infrastructure of California State University provided documentation showing that Alcatel-Lucent won the project with a bid of $22 million. Cisco’s bid was $122.8 million. The other bids were Brocade at $24 million, Juniper at $31.6 million, and HP at $41 million. Furthermore in May of 2011, Purdue University bid out replacement components for its Hansen Computer Cluster. Cisco won the Purdue University competitive bid process by offering a 76 percent discount off the cost of its products.”

Why did this wasteful fiasco happen? The audit report basically says no one really knows for certain—or at least is willing to 'fess up to being the party who screwed up: stuff just sort of happened.  The best that can be determined was that those receiving the federal stimulus funds wanted to spend as much of them as fast as possible, need be damned. Or in the auditor’s words, “Those making the decisions on how to spend the money did not consult individuals with technical knowledge on the best methods to utilize the funds.”

Read More
Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Advertisement
Load More