Risk Factor iconRisk Factor

Two More U.S. States Ban Employer Demands for Workers’ Social Media Passwords

On 1 January, statutes went into effect in California and Illinois that make it illegal for employers to demand that employees or job seekers reveal their social-media passwords as a condition of employment. Four other states already bar the practice; Delaware was the first, back in July, followed by Maryland, Michigan, and New Jersey.

The six legislatures took action after Facebook went public last March with news that workers were being ambushed at job interviews or threatened by supervisors. So the underlying reality is that in 44 states employers can still strong-arm workers with the ever more frequent demand: Show us the private parts of your Facebook, Twitter, and LinkedIn accounts or you can’t work here.

Organizations committed to preserving individual privacy had been pinning their hopes for a nationwide fix on a bill submitted to Congress last year that would restrict employers’ ability to force workers to make a choice between dignity a paycheck. According to the U.S. federal government website www.GovTrack.us, the Password Protection Act of 2012 (H.R. 5684), which was introduced on 9 May, was sent to the House of Representatives’ Judiciary Committee that same day. The bill apparently was then whisked into a witness protection program, because it hasn’t reappeared, and if its provisions ever show up again, it’ll be under a different name.

“I’d be surprised if it isn’t reintroduced at some point,” Chris Calabrese, legislative counsel at the American Civil Liberties Union’s Washington, D.C., Legislative Office, told IEEE Spectrum. “The bill’s sponsors," he said, "remain committed to dealing with this issue.”

Asked why so many states have yet to enact laws in the mold of those on the books in Delaware, et al., Calabrese explained that many states, whose legislatures operate inside a small window early in the year, are just now entering the first legislative sessions since the issue made news last year. In South Dakota, for example, legislators will remain in session from 8 January only until the end of March. “Six states is actually an amazing response,” says Calabrese. We’re likely to see other states take this up in the next few months.”

Image: Workforce.com

As Seen on TV: A So-Called Computer Security Product

Where experts tread, snake oil salesmen are sure to follow.

Security experts tell us that to prevent criminals from guessing our computer passwords, we should use strings of letters that can’t be found in the dictionary—and we should then make the passwords even stronger by including numbers, symbols, and capitalization. The experts also recommend changing even the best passwords every few months. As the maxim predicts, sure enough, someone is now hawking a new product it says will keep your passwords protected. If you’re lucky, it won’t leave you worse off than before you use it.

I became aware of the snake oil in question, the Internet Password Minder, while watching TV late one insomnia-plagued night. A commercial touted its wonders.

“Who can remember all those tricky combinations?” the announcer asked. “So you stick them on your monitor." At this point, the commercial cuts to an image of someone who has slapped his hard-won strong passwords—and usernames!—on Post-It Notes stuck to the edge of his computer monitor. "Not anymore!” the announcer said excitedly.

Next came the obligatory testimonial from a “Satisfied Customer”: With Password Minder, “I don’t have to worry anymore about security or identity theft. I now have all my passwords in one place. It’s great!”

Then came the enticing product shot and an in-depth explanation of how it works. It’s a… notebook that has entries (hundreds of them, as the announcer points out) with blanks that you can fill in with the name of a website, your username, and password. And get this: it organizes them alphabetically for easy reference.

Worried about security? Here’s the announcer again to dispel those concerns. The Password Minder is “bound in discreet leatherette.” WHEW! After all, who would gaze upon the grain of the fine manmade material covering this portable data vault and not be fooled into thinking, “That couldn’t possibly be the ring containing the keys to someone’s own personal digital kingdom. No need to look in there.” And prying eyes might not see it anyway, because as another video clip showed, the Password Minder can be put into a drawer and the drawer can be closed. And when I say closed, I mean shut. You’d have to actually open the drawer to see the book.

It's hard to imagine anyone resisting such a foolproof product, but just in case, the marketers of this product concluded the pitch by sweetening the deal: “Call right now,” the announcer urged, “and you can double the offer.” That’s right: two Password Minder notebooks for just $10.









The NYSE's Year of Living Dangerously Ends With Yet Another Glitch

In an apropos finale, the New York Stock Exchange suffered one last trading glitch on New Year’s Eve.  According to Dow Jones Business News, the NYSE issued “an alert to traders at 3:19 p.m. EST that its equity market was experiencing an issue with one of its engines that matches ‘buy’ and ‘sell’ orders and that 26 issues were affected, including BBX Capital Corp. (BBX), Verso Paper Corp. (VRS) and TransAlta Corp. (TAC).”

Although the trading problem was fixed within five minutes, it served to remind everyone of a year of trading-related snafus not only at the NYSE ( August, November), but also at the Johannesburg Stock Exchange (January), the SIX Swiss Exchange (January), the Tokyo Stock Exchange (February,  August), the BATS exchange (March),  the Madrid Stock Exchange (August), Indonesia’s Stock Exchange (August),  the Nasdaq (August, October, November, December,  Australia’s Stock Exchange (October),  India’s National Stock Exchange (October), Sweden’s Stock Exchange - which is operated by Nasdaq OMX - (November), and the Chicago Mercantile Exchange Group  (December), to name only a few.

There was also the infamous August Knightmare on Wall Street, where “zombie software” caused market-maker Knight Capital Group  to lose some US $440 million in about 45 minutes.  Knight Capital had to seek financial help to avoid bankruptcy, and was sold last month to Getco Holding Company LLC for $1.4 billion, one of the firms that financed Knight during its troubles. Knight Capital’s CEO Thomas Joyce conveniently and disingenuously blamed the firm's problem on “knuckleheads” in his IT department.

Last year was supposed to be a year when the world’s stock exchanges were going to clean up their acts, given that, according to the Financial Times, there were over 20 European exchange incidents alone in 2011. But 2012 seemed to be a lost year in that regard.

A story at the Wall Street Journal today reported the exchanges and market participants are promising (again) that this year they really are going to manage their operational risks better. For example, next month a pilot program is being rolled out to strengthen market-circuit breakers, and there will be limits imposed on how much a stock will be allowed to change in their average price within a 5-minute interval.  The U.S. Security and Exchange Commission, which approved the above changes, is also creating a tracking system for U.S. stock activity to help it quickly audit what happens when something goes awry.

The fixes are meant to help convince ordinary investors (and professional traders) that the exchanges haven’t grown too complex to manage, but the changes may be water off a duck’s back at least for the many ordinary investors who, after the great stock sell-off of 2008 and the continued world economic turmoil including the on-going US fiscal cliff brinksmanship, no longer trust the markets.

This Week in Cybercrime: Careful—The Phone on Your Desk Could Be a Remote Listening Device

Exploit Could Let a Hacker Can Listen In On Your Conversations—Even After You Hang Up the Phone

It was widely reported this week that Ang Cui, a Columbia University PhD candidate, hacked Cisco’s near-ubiquitous VoIP office phone. The exploit, which Cui dubbed the “Funtenna,” gave him elevated privileges, including the ability to use the phone as a listening device to eavesdrop on what is going on in the room—whether the phone is on the hook or not. But that’s not the worst of it. “Once you compromise the phone, you can use the phone as a general-purpose computer to attack other phones or devices on the network,” Cui told Kaspersky Lab’s Threatpost blog. “It’s like a self-propagating worm that can attack a phone, printer, router, access points—all behind the firewall. The attacker has persistent presence on the network,” Cui said. Carrying out a demonstration of the attack was as simple as connecting an external circuit board to the phone’s standard phone jack plug; the circuit board became the receptacle into which the exploit was transferred via Bluetooth from his smartphone. From there, Cui was able to exploit a kernel-level vulnerability and gain access to the Cisco phone’s file system—then those of all other phones on an office’s network. Worse yet, Cui says, he and his colleagues could also remotely compromise Cisco phones over the Internet with no need for physical access.

Spammers Cut Costs by Taking Mobile Phone Conscripts

Computerworld reports that spammers have come up with a new way to get their messages across. They hijack Android mobile phones and get the infected gadgets to do their dirty work. This solves two problems from text-message spammers’ perspective: they no longer have to buy thousands of SIM cards (each of which gives them a new “sender” but is eventually deactivated by a network operator for abuse) to run their spam campaigns; and they no longer have to be in the same country as the message recipients in order to avoid international SMS sending charges. Security vendor Cloudmark told Computerworld that the virus was contracted when users downloaded either of two Android games hosted by a server located in Hong Kong that contained malware directing the phones to connect with rogue servers. The command-and-control servers gave each phone a list of around 50 phone numbers along with the message the spammer sought to deliver. “The malware on the Android device will wait a little more than one second after sending a message, then will eventually check in with the rogue server to obtain more numbers,” Andrew Conway, lead software engineer with Cloudmark, told Computerworld. “If the phone is shut off and turned on again,” Conway said, “the malware reboots and installs itself as a service on the phone.”

Iran Still a Cyberattack Target

Last year, Iran bore the brunt of the most sophisticated cyberattack to date when its Natanz uranium enrichment facility was pummeled by the now-infamous Stuxnet malware that rendered thousands of centrifuges inoperable. This year finds computer systems there still in the crosshairs. Researchers at Kaspersky Lab report that computers in Iran have been beset by a new strain of malware that wipes disk partitions clean of files. The attack, which Kaspersky Lab researcher Roel Schouwenberg characterizes as “extremely simplistic,” deletes all the files on drives D through I, as well as the desktop and user profiles. “But if it was effective, [its simplicity] doesn’t matter,” says Schouwenberg. The malicious program, which was reported on 16 December by Iran’s computer emergency readiness team, is set up so that it launches on specific dates—some as far out into the future as 2015.

We’ll Get Around to It—Eventually—Says Adobe

A well-known saying in Spanish culture is that “Mañana doesn’t mean ‘tomorrow’; it just means ‘not today.’” That may be the thinking behind Adobe’s unfathomable delay in fixing a dangerous vulnerability in its Shockwave multimedia player. U.S. CERT notified Adobe on 27 October 2010 that users who launch older multimedia content unwittingly cause the application to downgrade to an earlier version that lets hackers use exploits that had been rendered obsolete. "For example, the legacy version of Shockwave provides Flash, which was released on November 14, 2006 and contains multiple, known vulnerabilities,” said the CERT alert. You might think that Adobe would have raced to close the security hole. But you’d be wrong. The software maker says it doesn’t plan to deploy a fix until February, when it introduces the next major upgrade of Shockwave. That’s right: more than 2 years after it became aware of the problem.

Wearable Computers the Size of Buttons to Monitor Health

Like it or not, the insides of our bodies are becoming open books--as open as a book is when scanned by Google or Amazon, in fact. And there are seemingly as many benefits as risks.

In just the latest of many recent developments, the University of Texas at Dallas, in a new press release, notes that patients who require continuous observation of their medical condition—for example, to see if they're taking their medications on time—could benefit substantially from button-sized wireless computers to monitor a person’s health. An assistant professor of electrical engineering Roozbeh Jafari, is creating just such devices.

The primary focus of Jafari's research has been making a wireless monitoring device smaller by reducing the monitoring (and algorithms) to only those absolutely necessary, which in turn reduces the amount of energy (in the form of bulky batteries) required to run the device. He takes this approach to the biosensors connected to the device, as well as to the microcontrollers used to communicate information from the device to external monitoring systems. Jafari indicates that by tailoring the device to the patient's specific medical condition, data, algorithmic processing, and energy requirements can be further optimized.

Jafari decided to take this total system optimization approach because he observed that, “Signals and events observed from the human body tend to change slowly,” as well as, “The physics and kinematics of the human body reduce[s] the likelihood of random body signals and movements.” Therefore, the data and processing required to detect a meaningful change in a the person’s medical status being monitored can be substantially minimized.

The UT Dallas press release notes that, for example, a major worry with elderly patients is that they will suffer a crippling fall. According to the Centers for Disease Control and Prevention, one out of three adults over the age of 65 fall each year; falls are also a leading cause of death for that age group.

A wearable computer such as the one Jafari is developing could be designed to detect precursors to a fall in an elderly patient and wouldn’t require much in the way of processing power or energy to determine if the patient were in a sitting position and therefore not at risk.

The technology to remotely monitor patient health has accelerated the past  year. In March, for instance, the world’s first flexible, organic transistor that can be sterilized was manufactured. Health monitoring devices that suffer from electrical degradation caused by the high-temperature sterilization process can, with the new material, be safely sterilized and implanted.

According to an article in October in InformationWeek, “ABI Research has projected that by 2016, wearable wireless medical device sales will reach more than 100 million devices annually. The market for wearable sports and fitness-related monitoring devices is projected to grow as well, reaching 80 million device sales by 2016.”

The InformationWeek article has a neat little slideshow that discusses ten wearable health monitoring devices, many on the market now, from a shoe insert that can monitor the rehabilitation progress of a patient suffering from a mobility injury to a chest sensor that communicates with a smart phone to support the remote monitoring of patients with cardiac arrhythmias. And some other devices are described in a September IEEE Spectrum feature, "How I Quantified Myself," by science writer Emily Waltz.

The risks of all this health data being recorded and stored in the cloud are manifest. But so are the potential benefits. Minimizing the one and maximizing the other will be one of the great IT challenges of the next decade.

IT Hiccups of the Week: Red Light Camera that Ticketed Stationary Car, Airbag for Smartphones

There was a potpourri of IT-related hiccups from this past week to report on. We start with a report in the Baltimore Sun about how the Baltimore police department finally admitted that a driver should not have been issued a speeding ticket last April. Why not? All available evidence indicates that the vehicle was not even moving. 

According to the story, the driver of a Mazda was given a ticket for traveling 38 miles per hour in a 25 mph zone—even though video from the speed camera that automatically issued the citation and time-stamped photos from two separate still cameras showed that the vehicle was stopped at a red light at the time the supposed infraction occurred. Worse, says the Sun, the photos and footage were supposedly reviewed by the vendors (Xerox State and Local Solutions) who operate the speed camera under city contracts and by a Baltimore law enforcement officer before the citation was issued.

A Baltimore police spokesperson could not provide an answer to the Sun's question regarding why the obvious error was overlooked. The Sun also reported that after running 189 tests on the camera that issued the faulty speed reading (and apparently several others), Xerox couldn’t figure out what caused the camera to periodically malfunction. The city has 83 speed cameras and 81 red-light cameras; they've generated $48 million dollars in fines over the past three years, the Sun reported. Baltimore is now conducting a review of both the cameras’ reliability and the city's ticketing review process, both of which are obviously deficient.  Although the city says that “any error is unacceptable,” so far I can find no mention of an apology having been issued by the city to the erroneously ticketed driver.

Next, we have an IT-related error that helped rather than harmed those affected. A story in the Atlanta Journal-Constitution reported that online shoppers visiting HomeDepot.com last week got an early holiday present: many their purchases ended up being free. According to the story, Home Depot ran a promotion offering $101 off a specific appliance. However, the promotion was accidentally applied to every online purchase made during a short time before the error was caught. All transactions under $101 cost would-be purchasers nothing and many more purchases were heavily discounted. Home Depot said it was honoring all customer purchases made before the glitch was fixed.

Many couples in Thailand last week wish that they had that type of luck. According to a story at the Phuket Wan Tourism News, a “nationwide data issue” at the Thai Interior Ministry meant that many couples who wanted to be wed at exactly 12:12 on 12 December 2012 were unable to be accommodated, leaving them in tears and looking for another lucky day to be wed.

While maybe not causing tears, computer issues are creating a lot of very unhappy businesses and employees in New Mexico and in Massachusetts. In New Mexico, no vendor checks have been issued since 4 December. Vendors doing business with the state were told that they would have to wait at least another week before getting paid because the state’s SHARE payroll and accounting system continues to be beset by errors that require correcting. According to the report from the Santa Fe New Mexican, “The problem was identified after the SHARE system went down late last week for routine maintenance. Since then, technicians have been working to remove corrupt files that have the potential to create additional problems if left uncorrected.”

In June, the New Mexico admitted that the SHARE payroll system went “haywire,” causing havoc with the paychecks of thousands of the state's 22 000 employees. So far, the state has paid more than $200 000 to fix that problem.

In Massachusetts, media outlets are reporting Attorney General Martha Coakley has told the National Grid—transmitter and distributor of electricity and natural gas to customers in New York, New Hampshire, Massachusetts and Rhode Island—that it had better begin paying its employees correctly (including all of the overtime hours they put in in the aftermath of Hurricane Sandy) – or else face a fine.  Apparently, National Grid rolled out a new payroll system as part of a $365 million upgrade to its human resources, finance and supplier management operations just a few weeks before Sandy hit, the Times Union reported last month. Even in the best of times, there are likely to be some payroll errors when a new accounting system goes live. But the hurricane forced many National Grid employees to work hours they normally don't and at locations they normally wouldn't. The resulting payroll adjustments “overloaded” the payroll personnel, who were still dealing with issues related to conversion to the new accounting system.

As a result, some 2000 of the National Grid’s 17 000 U.S. employees have either been paid incorrectly, or not at all, for the last six weeks or so—hence Coakley’s "or else" warning to the utility to fix the problem by this Friday. Whether this is possible remains to be seen; the utility’s president recently promised that the problems wouldn't be cleared up before the end of the month.

And in what is becoming a weekly event, another stock exchange trading error has been reported. Nasdaq had to cancel trades in nine major U.S. stocks last week. According to Bloomberg News, “The errors took place in the minute before the regular opening of trading, the Nasdaq OMX Group Inc. unit said on its website. Goldman Sachs fell as much as 20 percent to $94.01 and Hewlett-Packard plunged 79 percent to $3.06 before the trades were broken. Sprint touched $2.82, a 50 percent decline, prior to the Nasdaq’s decision to reverse those transactions.”

The Bloomberg article indicated that although traders were unhappy by the error, they seem to be resigned to the fact that future computer-related exchange errors are more likely to occur than less. This pessimism is probably realistic, since the Toronto Stock Exchange coincidentally reportedly suffered a “data freeze” problem last week that prevented traders from seeing some stock prices in real-time for a time. Trading wasn’t affected, however.

Finally, we have two stories on efforts to reduce human error when dealing with IT devices. The first is from the New York Times which writes that Google is trying to avoid “fat finger” click mistakes on smart phones.  Often, when scrolling on a smart phone screen, a person will hit an advertiser’s ad by mistake. This irritates the person, and the error rate is such it causes mobile ads to earn less money than ads shown on desktop computers, the Times states.

The Times says that, “When people click on image ads sold by Google that appear in cellphone apps, Google will double-check that the person wants to visit the advertiser’s Web site before taking them there, by asking them to click again on a button labeled ‘visit site.’ ”

The Times says that while Google tests indicate the approach “decreases the number of clicks on ads,” it “increases the number of people who make a purchase or otherwise interact with an advertiser after clicking.”

The second effort concerns a patent application by Amazon CEO Jeff Bezos and VP Greg Hart originally filed in February 2010 but only disclosed last week for an “airbag” for smartphones, or as described in the patent application as “a system and method for protecting devices from impact damage,” GeekWire reports. I wonder if they also filed a patent for a smartphone life preserver, since 19% of cellphones are reportedly dropped in a toilet.

Reading the patent description and looking at the published pictures, I think Bezos and Hart’s real calling is in designing advanced defense systems, especially the ones that are blindingly ingenious but utterly useless.

This Week In Cybercrime: Mass Transit Surveillance Systems Keep Ears and Eyes on You

Can the Government—Or Worse, Hackers—Eavesdrop As You Commute?

They know what you said in anger on the bus last week. That could certainly be the case if you were a passenger on a public bus in San Francisco, California; Eugene, Oregon; Traverse City, Michigan; Columbus, Ohio; Baltimore Maryland; Hartford, Connecticut; or Athens, Georgia.  Transit authorities in these cities have already installed microphone-enabled surveillance systems on the buses—some with technology for distinguishing conversations from the background noise from wind, traffic, and the bus’ engine. The audio and contemporaneous recordings from multiple video cameras are stored onboard in black boxes that can accommodate as much as 30 days of data. More cities are looking into installing such systems on their buses despite potential drawbacks related to privacy and security. These systems are designed to be remotely accessible via built-in servers. It is possible to monitor the audio and video in real time—all while tracking a bus using GPS data the system records.

The Daily reports that transit officials cite the systems’ benefits—improving the safety of passengers and drivers and helping to resolve complaints from riders—as good reason to have them in place. But Ashkan Soltani, a privacy and security expert, told the Daily that the audio could easily be coupled with facial recognition systems or audio recognition technology to identify passengers caught on the recordings. Civil liberties groups are up in arms at the potential to use the footage to prosecute people or at least monitor them; that, they insist, would be a clear violation of wiretapping laws and constitutional protections against illegal search and seizure.

And then there is the matter of information about your whereabouts and your private conversations falling into the hands of a hacker. According to the product pamphlet for one such system, remote connectivity “can be established via the Gigabit Ethernet port or the built-in 3G modem. A robust software ecosystem including LiveTrax vehicle tracking and video streaming service combined with SafetyNet central management system allows authorized users to check health status, create custom alerts, track vehicles, automate event downloads and much more.” What might a cybercriminal do with all that information? I shudder to think.

Facebook Helps Authorities Nab Botnet Bandits

Wired reports that 10 people who used botnets to take control of more than 11 million computers and steal about US $850 million have been arrested. The cybercriminals, who were arrested in the U.S., Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, and the United Kingdom, were behind the Butterfly Botnet (also known as the Slenfbot) that used the Yahos virus to infect the computers. Most of the victims had one thing in common: they were Facebook users who fell prey after clicking on fraudulent links in messages that appeared to come from friends but were actually the creation of the cybercrooks. The Yahos malware, which was unleashed with the ill-fated clicks, is designed to steal users’ banking login, password, and/or pin, credit card and bank account information, and other personal data.

Wired says that law enforcement was able to crack the case because of the assistance of Facebook. In an online statement released on 12 December, the social media site noted that, “In 2010, Facebook began investigating the Yahos malware and our automated systems were able to identify affected accounts based on suspicious activity. Once we were able to identify affected accounts, we were able to mitigate the threats posed by these viruses…As a result of our research, we were able to provide intelligence to law enforcement agencies about the capabilities and architecture of the malware.” Facebook also reported that the attack would have been worse but for the site’s anti‐spam systems; nevertheless, it has provided a link to help users determine if their computers were misused by the cybercrooks and to obtain free anti-virus software if a machine is shown to have been blighted by the malicious code.

Industrial Control Systems Remotely Hacked

An FBI memo revealed in July that hackers took advantage of a vulnerability in the cybersecurity of a New Jersey air conditioning company's industrial control system and gained control of the firm’s heating, ventilation, and air conditioning units. According to Kapersky Lab, the alert received public notice just this week when a report about the online break-in was published on a Web site operated by Public Intelligence, an international research project that advocates for public access to information. The first of the intrusions, which call into question the security of SCADA systems that manage much of the United States’ critical infrastructure, apparently occurred on 3 February, a few days after someone going by the moniker "@ntisec" posted on "a known U.S. website" that hackers were targeting SCADA systems to direct more attention to their vulnerabilities. The posting included a list of URLs and—one pointing to the very HVAC control system that was subsequently accessed—and information about downloading and decrypting a file containing user credentials giving administrator access into the industrial control system used by the companies whose Web addresses were on the list.

Ford to Offer Software Fix in Recall of Fusion and Escape Vehicles

About 10 days ago, Ford announced a recall of 15 833 current-model Fusion sedans and 73 320 Escape crossover vehicles in the U.S. and Canada manufactured from 3 February 2012, through 29 November 2012 because their 1.6-liter engines could overheat and catch fire. Ford had received reports of 12 vehicles catching fire since the vehicles were first sold, a story at AutoWeek stated.

According to the 3 December recall notice, “the engines may overheat leading to fluid leaks that may come in contact with the hot exhaust system.” When Ford made the announcement, it had not isolated the cause of the problem, or, in the mistakes-were-made passive voice of the recall notice, “a remedy for this recall campaign is still under development.”

Ford told the Detroit News that it was working on a fix “which is designed to keep the fluids from reaching the hot exhaust components.” Until then, drivers were warned to pull to the side of the road and exit the vehicle if their instrument cluster indicated, “Engine power reduced to lower temps” or “Engine over temp, stop safely.” Ford promised to “compensate owners for costs tied to overheating the LA Times reported.

Well, according to a Ford press release on Monday, “an intensive, cross-discipline engineering team”  discovered the root of the problem lay in “an original cooling system design [that] was not able to address a loss of coolant system pressure under certain operating conditions, [and] which could lead to a vehicle fire while the engine was running.”

To address the problem, Ford plans “software updates to the cooling system” which “will better manage engine temperatures during a unique overheating condition that could occur under unique operating conditions.”

Ford says it expects to have the software update at its dealerships by early next week, and that the fix should take less than half-day to complete. Until then, Ford is advising its Fusion and Escape owners affected by the recall “to contact their dealer to arrange for alternative transportation at no charge.”

In a massive vehicle recall that software can’t fix, Honda announced yesterday that it was recalling 318 000 2003-2004 Honda Odyssey and 259 000 Honda Pilot vehicles and some 230 000 2003-2006 Acura MDX vehicles because of faulty ignition interlocks. An article at the Detroit News states that, “The ignition cylinder park-shift interlock is supposed to prevent the key from being removed until the [automatic] transmission is shifted to park.”

However, some worn interlocks allowed drivers to pull out their keys without the car being shifted into park, even though they thought they had done so. The National Highway Traffic Safety Administration said that it had received reports of 26 vehicles rolling away after keys were removed from the ignition interlock.

Honda says it is going to “remove the original interlock pin and lever and replace them with redesigned components,” although this won’t happen until next year, the Detroit News reports. Until then, owners of the recalled vehicles should make sure they engage their parking brake before exiting the vehicle.

Cybercriminals Hold Australian Medical Clinic Electronic Patient Records Hostage

ABC News Australia published a report this week about a small medical clinic in Queensland, Australia that discovered cybercriminals, apparently Russian in origin, had been able to break through both the clinic’s server firewall and password system and successfully encrypted all of the clinic’s patient electronic medical records. Thousands of patient files are now said to be inaccessible.

The cybercriminals reportedly are demanding the clinic pay A$4000 to decrypt the information, something that the clinic so far is refusing to do. The clinic's owner says that he is worried that if the clinic does pay, the cybercriminals will decrypt only a small number of patient records, and then demand additional ransom monies on promises to decrypt the remainder, and so on. Right now, the clinic is trying to determine how many patient records can be rebuilt from information retrievable from pharmacists and hospitals, but the owner admits it is “very, very, very difficult” to operate effectively without access to the clinic's patient records.

This incident seems to be just the latest in a trend that is following the increasing digitalization of electronic medical records. A Bloomberg story from August describes several incidents of similar extortion demands in the United States from clinics as well as thefts of electronic medical records

Healthcare providers seem to be an especially good target of opportunity for cybercriminals. According to a new benchmark survey published by the Ponemon Institute, some 94% of U.S. healthcare organizations have suffered a data breach in the past two years, and 45 percent have admitted to experiencing five such breaches over the same period. In addition, Ponemon's survey reports that "54 percent of organizations have little or no confidence that they can detect all patient data loss or theft," which isn't surprising, given that 73 percent of healthcare providers surveyed admit that they "still have insufficient resources to prevent and detect data breaches... and  67 percent of organizations don’t have controls to prevent and/or quickly detect medical identity theft."

You may remember from a few years ago that the state of Virginia's Prescription Monitoring Program website containing prescription information on 530 000 patients was similarly attacked. A cybercriminal claimed to have stolen the patients’ prescription information, encrypted it in a file, and deleted the data. He (or she) demanded in a ransom note left on the website US $10 million for the information's safe return. While state officials (eventually) admitted the website was indeed breached and information likely taken, the state also said that it had all the patient information securely backed up. No ransom was ever paid, and the would be extortionist has never been caught.

As a story in NetworkWorld commenting on the Australian medical clinic situation noted, organizations which have securely stored sensitive information offline or in the cloud have been the most successful in keeping such extortionists at bay.

Image credit: Wikipedia/Rama and Eliot Lash

IT Hiccups of the Week: Australian Police Warn About Apple Maps, Numerous SaskTel Wireless Customers Billed $100 000

This has been a relatively quiet week with regard to IT-related problems that tend to annoy us. But we'll start off with transportation systems disrupted by computer issues—two at airlines and one on a metro system.  The Chicago Tribune reported that United Airlines suffered “intermittent Internet connectivity issues” last Friday, causing some its computer systems “to run more slowly than normal.” The problem didn’t affect all of United’s operating locations, but it struck the airline's major Chicago O’Hare International Airport hub. Luckily, no flights were delayed or canceled, unlike several other recent episodes.

Passengers on Utah-based SkyWest Airlines weren’t so lucky yesterday. According to the Salt Lake Tribune, the centralized aircraft management system that provides flight crews with information on their planes' weight, balance, fuel, and the like crashed on Sunday morning at 0500 Mountain Time and did not return to normal until 0700. Flights were disrupted for the remainder of the day as a result.

Also yesterday, an unexplained computer system failure shut down Montreal’s entire metro system at 0800 EST. News reports say that restoration of service began about 45 minutes later.

Also in Canada were reports earlier in the week about some 9000 Saskatchewan Telecommunications Holding Corp. wireless customers who received incorrect bills which the company says “may range from a few cents to [CN] $100 000.” The story at the Globe and Mail quotes a SaskTel spokesperson as saying that a “network capacity enhancement” to its 4G LTE network resulted in customers' Saskatchewan data being charged at U.S. data rates.

The SaskTel spokesperson went on to say, “We apologize for any inconvenience. Thank you for your patience as we continue making network improvements.”

A spokesperson from Cuscal, the owner of the RediATM network in Australia, also “sincerely” apologized, to users of its ATM network over the weekend. The network reportedly crashed for about three hours on Saturday, disabling ATMs across Australia. According to a story in the Sydney Morning Herald, the RediATM network is one of the largest in Australia, with about 3000 ATMs. On top of the inconvenience of not having access to an ATM during a major holiday season shopping day, apparently some customers reported that "money had been deducted from their accounts, despite an error message appearing on the ATM screens declaring the transaction had failed.” Cuscal stated that it has taken action to reimburse cardholders, but if any problems are not resolved, customers can submit a complaint form to them today.

Finally, also in Australia, AFP reports that Victorian police are warning Apple Map users not to depend on the app to navigate to the inland town of Mildura, which is about 310 kilometers northwest of Melbourne, as it could turn deadly. Instead of being directed to the town, Apple Map users are being sent “off the beaten track” to isolated and hazardous terrain in the Murray Sunset National Park, some 70 kilometers away from Mildura.

AFP reports that the police have released a statement saying, they are "extremely concerned as there is no water supply within the park and temperatures can reach as high as 46 degrees Celsius (114 F), making this a potentially life threatening issue.”

Police said that they have had to rescue lost drivers and passengers from at least five vehicles that have been stranded in the park without food or water for 24 hours as a result of following Apple Map directions to Mildura. One lost driver got stuck in an area of the park which had no cell phone coverage, and had to walk for 24 hours before he was able to find a signal and call police to be rescued.

Apple would not comment on the story except to refer “to an earlier statement that it was doing everything it could to fix problems with the maps application in the new operating system used by the iPhone 5,” the AFP story states. Victorian police say they have contacted Apple about the issue.

Unfortunately, the AFP story doesn’t say where Apple Maps sends you when you actually want to drive to Murray Sunset National Park. Anyone know?

Most Commented Posts

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones

Newsletter Sign Up

Sign up for the ComputerWise newsletter and get biweekly news and analysis on software, systems, and IT delivered directly to your inbox.

Load More