Risk Factor iconRisk Factor

This Week in Cybercrime: Hackers Break Into News Outlets’ Computers

Hackers Break Into News Outlets’ Computers to Peek at Reporters’ Notes

On 30 January, the New York Times reported on its site that it was the victim of a sophisticated campaign of cyberattacks aimed, it suspects, at uncovering the names of sources who provided information about the business dealings of Chinese Prime Minister Wen Jiabao and his family. (In fact, we’re learning that the Times was only the latest publication to have its systems raided, but more on that later.) According to the NYT article, Chinese hackers—who tried to cover their tracks by infecting and remotely controlling computers at U.S. colleges then using those compromised machines to send the malicious code—started snooping around the Times’ internal networks as early as 13 September. This after word got out that journalists at the daily’s Shanghai bureau were conducting research into how Wen had amassed a fortune worth billions. According to a researcher at Mandiant, the computer security company the paper hired to exorcise the malicious code:

“[The hackers] set up at least three back doors into users’ machines that they used as a digital base camp. From there they snooped around The Times’s systems for at least two weeks before they identified the domain controller that contains user names and hashed, or scrambled, passwords for every Times employee.”

Mandiant discovered that the hackers used the passwords to access the computers of 53 Times employees. But Times Executive Editor Jill Abramson, who was quoted for the story, says, “Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied.” The Times was also quick to offer reassurance that no customer data was stolen. But what the hackers did in fact take is still an open question.

Even after the article about Wen was published on 25 October, the hackers continued snooping. The Times article references a December intelligence report prepared by Mandiant. The security firm had uncovered evidence that the “Chinese hackers had [from as far back as 2008] stolen e-mails, contacts and files from more than 30 journalists and executives at Western news organizations, and had maintained a ‘short list’ of journalists whose accounts they repeatedly attack.”

That assessment was confirmed on 31 January, when the Wall Street Journal admitted that hackers trying to monitor the newspaper's coverage of China, hacked into its systems. Bloomberg says it was targeted after publishing an article last June about Xi Jinping, China’s then vice president and current general secretary of the country’s Communist Party. But Bloomberg says that although its computer systems came under attack, they were never breached.

Thousands of Networked Gadgets Double as Gaping Security Holes

Computer World is reporting that faulty implementation of the Universal Plug and Play (UPnP) protocol standard has turned millions of network-enabled devices such as routers, printers, media servers, and even smart TVs into gateways through which hackers can get inside firewalls. On 29 January, security researchers from Rapid7 released a research paper in which they noted that more than 20 percent of the 80 million unique IP addresses they pinged exposed the UPnP Simple Object Access Protocol service to the Internet. This allows one networked device to discover another and remotely turn on the other gadget’s data sharing, media streaming, media playback control and other services. The Computer World article explains that:

“In one common scenario a file-sharing application running on a computer can tell a router via UPnP to open a specific port and map it to the computer's local network address in order to open its file-sharing service to Internet users.

Many had UPnP implemented through a library called the Portable UPnP SDK. Unfortunately, as the Rapid7 researchers discovered, UPnP SDK contains eight remotely exploitable vulnerabilities. Two of them can be used to inject code remotely.

The upshot: More than 23 million networked devices exhibited this vulnerability during the test. Rapid7 told Computer World that a patch has been released, but the firm’s chief security offer predicted in a 29 January blog post that “it will take a long time before each of the application and device vendors incorporate this patch into their products.”

The slow-to-update problem, says Rapid 7, also affects users of a UPnP library called MiniUPnP, which can be exploited for denial of service and remote code execution attacks. New versions released in 2008 and 2009 don’t contain those security holes. But according to Rapid7, 14 percent of the Internet-exposed UPnP devices it pinged were still using MiniUPnP 1.0 and were thus still vulnerable. Though Rapid7 has released a free tool called ScanNow for Universal Plug and Play, and a module that detects vulnerable UPnP services running inside a network, many vulnerable devices will remain unpatched.

“Many PC users don't even update PC software that they frequently use and are familiar with,” Thomas Kristensen, chief security officer at vulnerability research and management firm Secunia told Computer World. “The task of finding the Web interface of a vulnerable networked device, obtaining the firmware update and going through the whole update process will likely be too intimidating for many users,” he said.

Want to Use a Plug-in on Firefox? Ask For It

Mozilla announced this week that it would automatically disable all plug-ins in Firefox except the latest version of Adobe's Flash Player. In order for any plug-in to run, the user will have to manually override the block. This feature, which Mozilla calls “click-to-play,” used to bar only plug-ins that the Firefox browser judged to be unsafe or too far out of date. The move comes on the heels of numerous reports of hackers taking advantage of bugs in plug-ins, particularly the Java browser plug-in. The makers of other browsers such as Chrome and Opera include the click-to-play feature. But Mozilla is the first to turn it on by default. The others require the user to enable it.

Yahoo Mail Hijacking Case Solved

Security researchers at Australia-based BitDefender say they have gotten to the bottom of how some Yahoo Mail accounts have been hijacked over the past month. It seems that a link that is supposed to take them to an MSNBC News site, connects them with a domain registered in the Ukraine. Javascript that finds the user's contacts and sends spam under his or her name is placed on those pages so that its almost impossible not to click on it.

Bill Shocker Malware Spreading Like Wildfire in China

It was revealed this week that a new piece of malware dubbed “Bill Shocker” has infected at least 600 000 mobile devices in China. The malicious code, which targets several of the most popular mobile apps in China, including Tencent QQ Messenger and Sohu News, sends spam to the users’ contact lists—often costing mobile device users a lot of money by going beyond the number of messages included in the unsuspecting users’ messaging plans. In a 30 January blog post, Beijing- and Dallas-based NQ Mobile said that the malware can update itself and "automatically expand to other apps, multiplying the potentially disastrous effects.”

Photo: Jleon/Wikipedia

“Programmer Bob”: Latter-Day Tom Sawyer or Massive Security Risk?

At first I thought this was one of those IT urban legends, like the “disappearing warehouse” story, but according to Verizon's IT security risk team, it's all true.

A few weeks ago, Verizon wrote on its IT security blog that it was asked to perform a security assessment for a U.S.-based client after the latter was “startled” to discover a live “open and active VPN [virtual private network] connection from Shenyang, China!”

What made the client thoroughly worried about this surprisingly open communication port to China was first that it was a U.S. critical infrastructure company; second, it had two-factor authentication for its VPN connection, which had obviously been breached and, third, “the developer [given the pseudonym “Bob”] whose credentials were being used was sitting at his desk in the office.”

In other words, “the VPN logs showed [the developer] logged in from China, yet the employee is right there, sitting at his desk, staring into his monitor.”

It seemed unlikely that Programmer Bob was manipulating the space time continuum, so the client called Verizon's IT security team hoping for a more realistic explanation.

What Verizon discovered was that someone in China had been using Programmer Bob’s credentials to access the client’s computer systems for quite some time on almost a daily basis. The Verizon risk team theorized that Bob’s desktop workstation software had been somehow breached possibly via some zero day malware. So, the team decided to acquire a forensic image of Bob’s workstation to see if it could uncover this malware as well as how it got onto Bob's workstation.

Instead, what Verizon discovered were “hundreds of .pdf invoices from a third party contractor/developer in (you guessed it) Shenyang, China.”

According to the Verizon account, “As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem. He FedExed his physical RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day.”

Nothing like exploiting a favorable date/time differential.

Programmer Bob, Verizon says, would spend the morning surfing Reddit for a couple of hours (watching cat videos), then take a long lunch, then spend the afternoon shopping on Ebay and updating his Facebook and LinkedIn. He did diligently return to his day job at the end of each day, to e-mail management on his work progress.

More interestingly, programmer Bob seems to have been able to pull off his outsourcing trick at multiple companies in his area. Exactly how wasn’t explained—I assume Bob didn’t have to be physically present at these other companies.

Verizon calculated that good old Bob looked to be earning “several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually.”

Even more interestingly—and here's where the blogosphere's ears really perked up—the client thought Bob was a superb employee. “For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.”

Verizon’s blog post naturally stirred up a lot of controversy. Some commenters claimed Programmer Bob was a hoax perpetrated by Verizon, or was in fact a Verizon employee. A later post by Verizon insisted that it was a true story, and that programmer Bob was not a Verizon employee.

What I found interesting was how, for everyone else, the story passed through myriad lenses of literary interpretation. Some saw Programmer Bob as a righteous example, a programmer Robin Hood who exercised the same prerogatives as managers who wantonly outsource jobs to China. This was the general take of an article in the UK Guardian, where Steven Poole wrote that Bob “has learned a harsh lesson: exploitation is a job for employers, not staff.”

Others took a slightly more modern perspective, comparing Programmer Bob to Mark Twain’s Tom Sawyer, who famously talked his friends into painting a fence he was tasked with. In this case, the role of Tom's eloquence was played by the pay differential between UK and Chinese programmers who do the same work (in this case, literally the same).

Even the Financial Times of London saw some merit in Bob's unorthodox arrangement, with popular columnist Lucy Kellaway asking, “If I outsourced my work, would you care?” Kellaway asks what the big deal is—lots of folks effectively outsource their work and no one seems to care. For example, she noted, “No one expects politicians to write their own speeches. We know many academics get their PhD students to do their research for them. Fashion designers don’t generally design their own clothes. Colonel Sanders doesn’t make his own fried chicken—though that is partly because he is dead.”

While tempted to outsource her own column, Kellaway admitted her ego “isn’t strong enough to deal with someone who is better at being me than I am.” That makes her Jerry Maguire to Programmer Bob's Ron Tidwell, the character who periodically shouted, “Show me the money.”

Still others viewed the story in the way that Verizon’s original post intended: a warning about how easy it is for a company’s IT systems to be breached by insiders, and how companies need to watch out for this. Yesterday’s Christian Science Monitor story on Bob’s exploits focused on this security angle.

I am sort of surprised that Bob hasn’t surfaced on daytime television yet. I wonder if it's because Bob, described as being a “mid-40’s software developer versed in C, C++, perl, java, Ruby, php, python, etc.,” a “ family man, inoffensive and quiet,” and “Someone you wouldn’t look at twice in an elevator” forgot to tell the appropriate authorities about his various sources of income.

Given a good lawyer, maybe the same one who helped another American icon, the singer Willie Nelson with his tax problems, perhaps Bob can have his folk hero status certified by Oprah. I, for one, would love to hear more about how he did it, though maybe 60 Minutes would be a better venue for the technical details.

And if Programmer Bob is reading this, you’re always welcome to tell your story here at the Risk Factor. Just don't outsource the interview.

Photo: Miha Perosa/iStockphoto

IT Hiccups of the Week: AT&T U-verse Bundle Suffers Three Day Hiccup

Last week was a relatively quiet week for IT uffdas, with the possible exception of subscribers to AT&T’s U-verse bundled service. A “small proportion” of them saw their service go away for three days.

AT&T's U-verse Multi-Day Server Complex Outage

Last Monday night, 21 January, subscribers to U-Verse, the bundled digital TV, high-speed Internet and voice service throughout the Southeastern United States, discovered that none of the services worked. They were unable to, among other things, make emergency calls. AT&T subscribers without the U-Verse bundle had service as usual, however. At first, the outage seemed to be of the annoying but short-lived variety, as subscribers told the Miami Herald that they lost their service at 9:30 P.M. local time and had it back at around 8:00 Tuesday morning.

AT&T encouraged the thought that the outage was a minor glitch, telling the Atlanta Journal-Constitution that it believed that the outage affected only some 6000 subscribers out of its 7.4 million customers spread across 22 states who have the service. AT&T explained that it was a server-related problem, and apologized “for any inconvenience to our customers.”

However, by later Tuesday afternoon, it became apparent that the outage was affecting roughly 75 000 (and likely more) subscribers to the U-verse bundling package. Reports started to come in revealing that the outage hit 14 states and spread as far west as California. AT&T still tried to put a positive spin on the outage, saying that the “issue currently affects less than 1 percent of our U-verse subscribers.” It added that it was working hard to fix the problem at its “server-complex”, but offered little further insight as to when the outage would be fixed or exactly what caused it.

By Wednesday, frustration, especially on the part of small businesses that depended on U-verse, was ratcheted up several notches as it became clear that many of them wouldn't have their service restored until Thursday. That was the case despite AT&T's assurances on Wednesday morning that, “U-verse service has been restored for the vast majority of our customers affected by the outage. We expect any remaining customer issues will be resolved this morning.”

The New York Times reported that AT&T finally gave a reason for the problem: a faulty software upgrade.

AT&T announced on Thursday afternoon that, “U-verse service has been restored for all customers affected by the outage. The software problem causing the issues was resolved by AT&T engineers early this morning. We are not pleased it took so long to fix the issue. AT&T will provide a credit to customers who were affected.”

The outage was a major embarrassment for AT&T, which had just boasted about the reliability of U-verse’s fiber optic and fiber-to-the-premises (FTTP) network  in early January. An AT&T spokesperson bragged that U-verse didn’t suffer outages like those of cable and satellite systems.  

Just to make AT&T’s week complete, equipment failure in Cleveland knocked out 911 emergency service as well as some landlines and 2G wireless service across northern Ohio, for about four hours on Friday; and a North Carolina hospital blamed a problem with AT&T Thursday for knocking its electronic health record system offline for seven hours.

New York Cabbies Lose Money Because of Wireless Connectivity Problem

The New York Daily News reported on Wednesday that a glitch in thousands of wireless communications devices installed in New York City taxis to allow riders to pay by credit or debit card. The malfunctioning systems, provided by Creative Mobile Technologies and connected to Sprint’s network, affected at least 2400 taxis’ card readers as well as their electronic fare meters, televisions, and navigation systems.

Taxi cab drivers were understandably angry about the glitch. Many pay US $120 or more per day to rent their cabs, and the malfunctioning meters rendered them unable to make any money (even with cash-paying customers) for nearly two days because of the glitch. Prospective taxi customers were none too happy either.

There was no word on whether Creative Mobile Technologies would be offering any compensation for the outage.

BATS Trading Error Dialed Back

About three weeks ago, BATS Global Markets, the third-largest U.S. stock exchange, announced that it had discovered during internal system audits two situations where “its computers allowed trades that violated [U.S.] rules intended to ensure all investors get the best prices for equities.” BATS stated that some 436,528 trades involving $420,000 were affected over four years.

But after having studied the suspected incorrect trades further, BATS presented dramatically revised numbers on Friday. According to the Wall Street Journal, BATS reported that there were only 12 000 bad trades involving $17 000.

When the errors were first announced, BATS CEO Joe Ratterman blamed it all on the complexity of the trading environment, which he in turn blamed on government regulators. I guess the complexity of market regulation wasn’t so bad after all.

Where's My W-2? National Grid Workers Still Unhappy With Payroll System

Last month, I wrote about Massachusetts Attorney General Martha Coakley warning National Grid—transmitter and distributor of electricity and natural gas to customers in New York, New Hampshire, Massachusetts and Rhode Island—to begin paying its employees correctly (including all of the overtime hours they worked in the aftermath of Hurricane Sandy) or else face a fine. One of the reasons for the lack of pay was that the National Grid went live with a new accounting system just before Sandy hit.  The changes needed in order to account for National Grid workers performing overtime in amounts and in locations outside of the ordinary created payroll havoc.

Coakley did impose a US $270 000 fine against National Grid earlier this month for its failure to pay its employees in a timely manner. Now it may be the Federal government’s turn to fine the company. According to the Boston Herald, National Grid has indicated to its employees that it might not be able to distribute the W-2 annual wage and tax statements needed to file taxes by 31 January as required, again because of problems with its accounting system. Failure to do so can mean a fine of up to $50 per W-2 statement from the U.S. Internal Revenue Service unless the IRS grants a waiver.

The Herald story says National Grid is insisting publicly that it will meet the deadline, but according to the employee union, the company is telling workers something different. We’ll see what happens come this Thursday, by which time the W-2 statements need to be mailed out.

Photo: Eric Gay/AP Photo

This Week in Cybercrime: Student Expelled After Revealing Security Hole in College Computer System

 

Student Whistleblower Expelled

It was revealed this week that a computer science student in Canada was expelled in November after he discovered a security flaw in his college’s computer system that could have exposed the personal data of more than 250 000 students. Hamed Al-Khabaz and a classmate found the security hole—which would have let anyone querying the system to access every bit of personal information about students contained in the school’s records—while developing an app that would let students access their campus accounts from mobile devices. When Al-Khabaz and his partner reported the problem, Dawson College administrators and officials at Skytech Communications, the company that sold the computer system to the school, initially gave the students a pat on the head for a job well done. But when Al-Khabaz followed up two days later, using a scanning tool to see if the campus and corporate security teams had made good on their promise to fix the vulnerability in Skytech’s Omnivox system, the pat on the head quickly changed to a swift kick in the pants.

Al-Khabaz says that he received a threatening call from Edouard Taza, the president of Skytech, telling him that the scan was illegal and could get him tossed in jail for up to a year. With that threat in the air, Al-Khabaz signed a non-disclosure agreement making him legally bound to keep silent about the security problem, the subsequent scan, the threatening conversation, and the existence of the non-disclosure agreement. Immediately following that episode, Dawson College officials applied their own dose of shoe leather. The school brought him up on charges of “serious professional conduct,” and 14 of 15 computer science professors voted to expel him from the computer science program. Heaped on top of that was the order that he repay grants he received for his studies.

In its defense, the school insists that the press has it all wrong. At a press conference on 22 January—after Al-Khabaz realized that he had very little left to lose by failing to abide by the terms of the non-disclosure agreement and went public with the details of the incident—school officials said the former student had “made an attempt to gain access to a range of systems” and that his activity constituted “a concerted set of attacks on a range of systems.”

An odd twist in the story is that although Dawson College refuses to readmit him, Skytech is one of a number of firms that have offered him a job.

The Downside of Logging Into Everything With One Password

Once again security has been sacrificed on the altar of ease of use. Twitter and Facebook, in an effort to put themselves at the center of Internet users’ online activity, allow their login credentials to be used as a kind of master key for granting access to third-party apps. And right on schedule, the unintended consequences have arrived.

Some apps, designed to automatically read from and write to a Twitter user’s timeline, see who he or she follows, and update the person’s profile, are supposed to do so only if given permission. But according to Cesar Cerrudo, a security researcher at IOActive, he recently discovered a flaw in Twitter’s code that let these third-party apps access Twitter users’ direct messages—which are supposed to be private—even when Twitter users had not agreed to give the apps that level of access.

In the course of testing the functionality of an app—specifically the feature that allows user to sign in with their Twitter credentials—he noticed that the permission level was initially set to allow the user enough access to read existing tweets and post new ones. But after logging out and signing back in a few times, the app began displaying Twitter direct messages. Meanwhile, the application settings page still indicated that the permission level had not been changed.

After unsuccessfully attempting to figure out the nature of the security flaw, Cerrudo notified Twitter’s security team, which promptly fixed the problem. Unfortunately, Cerrudo told Kaspersky Lab’s Threatpost, Twitter did not issue a general alert to its users making them aware of the issue.

U.S. Military Seeks Automated Cyberattack Defense

The U.S. Department of Defense's Advanced Research Project Agency (Darpa), is on the hunt for new ways to scan and analyze the massive amounts of data generated by the computer networks run by government departments. The effort, part of Darpa’s Cyber Targeted-Attack Analyzer program, is designed to "automatically correlate all of a network’s disparate data sources—even those that are as large and complex as those within the DoD — to understand how information is connected as the network grows, shifts and changes," says an agency news release. Keeping an eye on every bit of a network as extensive and complex as that run by the Department of Defense is a tremendous undertaking. The security and performance-monitoring systems attached to the networks collect untold haystacks of data on a daily basis. Darpa is hoping that employing a new, automated approach will make ferreting out the occasional needle easier. “The Cyber Targeted-Attack Analyzer program relies on a new approach to security, seeking to quickly understand the interconnections of the systems within a network without a human having to direct it,” Richard Guidorizzi, manager of the program told Kaspersky Lab’s Threatpost. “Cyber defenders should then be capable of more quickly discovering attacks hidden in normal activities,” he said.

The program comes on the heels of the U.S. military issuing several solicitations for offensive cyberwarfare capabilities.

Google Back as Sponsor of Hack-a-lympics

The Pwn2Own hacking contest is back—this year with new rules and a bigger cache of prize money courtesy of Google. HP TippingPoint, organizer of the annual event, says the hacker games—which will take place between 6 and 8 March at the CanSecWest security conference in Vancouver, British Columbia—will test entrants’ ability to demonstrate new exploits taking advantage of vulnerabilities in the Chrome, Firefox, Internet Explorer or Safari browsers, or the Adobe Reader, Adobe Flash or Oracle Java browser plug-ins. Big money (US $100 000) will go to the person who hacks Chrome on Windows 7 or Internet Explorer 10 on Windows 8 in the fastest time. The quickest to break into IE9 will get $75 000; the prizes go down from there, to $20 000 for an exploit for Java, which has taken a public beating for its security failings.

Google’s sponsorship is worthy of note, says Computer World, because the search company backed out underwriting the event last year over a disagreement with regard to the rules. Unlike last year, Pwn2Own participants must reveal the full exploits and all the details of the vulnerability used in their attacks. Google was upset that the contests wouldn’t result in vendors having the ability to see and fix the flaws. But it didn’t simply take its ball and go home. It put on a $120 000 Chrome-specific hacker contest at CanSecWest. Google has already confirmed that it will present Pwnium again this year. But the search firm has yet to reveal whether it will take place at CanSecWest.

Waiting For REAL ID? Take a Seat, It'll Be a While

There's an interesting story in next month’s National Defense magazine on the long gestation of the REAL ID Act.

As you may remember, eight years ago the U.S. Congress passed the REAL ID Act of 2005. It would have forced states to start issuing tamper-proof driver licenses and identify cards by 11 May 2008. The reason for the act, a brainchild of Congressman Jim Sensenbrenner of Wisconsin, was to make it harder for terrorists and other criminals to be able to pass off fake IDs in the commission of their crimes. And a REAL ID card would be required to enter a federal building or board a commercial airline flight.

After an outcry from state governors over the projected cost—upwards to US $12 billion they claimed—and from privacy advocates over this creation of a de facto national identity card, the Department of Homeland Security (DHS) decided in March 2007 to move the act's compliance date to December 2009. Then, in January 2008, DHS decided again to postpone the deadline for states to the 11 May 2011 and also changed some of the documentation requirements needed to get a REAL ID in hopes of quieting the critics. DHS estimated then that the states’ implementation costs would not be any greater than $3.9 billion, which DHS would help cover with $280 million in state grants.

After continued grumbling by the states about the cost, and some two dozen state legislatures passing laws or resolutions refusing to comply with the REAL ID requirements, in March 2011, DHS postponed the compliance deadline yet again, this time to 15 January 2013. And then, as this deadline approached and with most states still in non-compliance, late last month DHS for the fourth time delayed the compliance deadline. It will apparently be to sometime in 2015; the department won't announce the exact date until later this year.

A DHS press release announcing this latest delay praised the 13 states that it says have met REAL ID standards: Colorado, Connecticut, Delaware, Georgia, Iowa, Indiana, Maryland, Ohio, South Dakota, Tennessee, West Virginia, Wisconsin, and Wyoming. However, as the National Defense magazine article points out, the Real ID act requires that there exist “five different national databases for states to tap into to verify identities [but those] are not up and running.”

Hmm, I guess meeting the REAL ID standard all depends what you mean by “standard.” Or maybe the word "is."

In addition, as noted in an acerbic post at the CATO Institute, there are pretty good odds that the states who haven’t complied with the REAL ID act will probably never have to, making suckers out of those that did. As CATO points out, it is highly unlikely that the federal government is going to tell the citizens of 37 states they can’t fly in planes or enter federal buildings. How will federal judges feel about all those empty jury boxes? As it happens, I've been called to federal court jury duty next week, in a state that doesn’t meet the REAL ID act.

The pleasure of watching the endless tug of war over federal (unfunded) mandates versus states’ rights exposed by the REAL ID act is compounded by the risible and ever-changing cost estimates to the states of implementing it. Sensenbrenner originally estimated (i.e., pulled out of the air if not another place) that the cost to change state department of motor vehicle computer systems would be about $2 million per state over 5 years, or $100 million overall. The Congressional Budget Office, sharing the same fantasy, generally concurred, estimating that it would be closer to $120 million over the 5 years total.

However, a  2006 study by the  National Conference of State Legislatures (NCSL), the National Governors Association (NGA), and the American Association of Motor Vehicle Administrators (AAMVA) said that Sensenbrenner and the CBO were way off, and did not account for the vast majority of costs that would be incurred. This group estimated that the REAL ID act could cost states more than $11 billion over five years (pdf).

That number was thought to be way off until the DHS admitted in March 2007 that its own estimates of the REAL ID act implementation costs would be from $10.7 billion to $14.6 billion—with another $7.8 billion or so in costs borne by individuals in fees—over ten years.

After its January 2008 changes to the REAL ID requirements, DHS revised its own estimate and claimed that compliance would now cost the states a mere $3.9 billion or so over ten years.  In 2011, the Center for Immigration Studies, an advocate for REAL ID, estimated the cost  to the states would be even less: somewhere  between $350 million and $750 million. That seems remarkably low, given that DHS has said that it has already awarded $263 million in grants from FY 2008 to FY 2011 to states to help them meet the REAL ID requirements—and three-fourths of the states aren't done yet.

Exactly how much money the states have spent so far on top of this DHS grant amount is unknown, but even the DHS knows that meeting the Real ID “standards” aren't cheap. One reason for the latest delay, DHS says, is that “in a period of declining state revenues,” the states are having a hard time finding the money to implement the act's requirements.

My guess is that the DHS will continue to set Real ID compliance deadlines only to postpone them at the last moment, and hope that over time, the vast majority of states will ultimately albeit grudgingly implement REAL ID as they eventually replace their DMV legacy systems. Me, I'm rooting for some genuine enforcement of compliance by 2015. I probably wouldn't ever have to report for federal jury duty again.

IT Hiccups of the Week: I Don’t Have Your Cellphone, Honest

We start off this week’s potpourri of IT–related snafus and snarls with an unusual one from North Las Vegas.

The Case of the Missing Sprint Cellphones

According to a story in the Las Vegas Review-Journal, since 2011, people keep showing up at Wayne Dobson’s house demanding that he return their lost or stolen Sprint cellphones. Police also have shown up demanding entrance after being sent to his house on suspicion of domestic violence because of calls 911 operators received from Sprint cell phones. The only trouble is that Hobson, who lives alone, doesn’t have any of the phones.

The Review-Journal cited telecom experts who speculated the problem might be an intermittent error in a Sprint’s local switchboard software that is used to determine the GPS coordinates of its cell phones. As a resul, they say, some owners of lost or stolen Sprint cell phones, as well as the police, are being directed to Dobson’s house by mistake.

Dobson, who has been awakened at all hours of the night by both the police and irate cellphone owners demanding he return their cellphones, is not amused. He has posted a sign on his house saying that he doesn’t have any lost or stolen cellphones, but that isn’t likely to deter someone who thinks their phone is at his house. It definitely is not going to deter the police, who although aware of the glitch, say that if they get a 911 domestic violence call, “they will still send officers to the scene unless they can confirm that there isn’t actually a problem there.”

Sprint told the Review-Journal last week that it “will research the issue thoroughly and try to get to the bottom of what is going on and if it has anything to do with our company.”

And according to a story today at the Review-Journal, Sprint says it has indeed gotten to bottom of the problem. There isn’t any error on our part, Sprint told the paper; the issue is a result of people who don’t understand “the inaccuracy of cellphone location software.”

Sprint told the paper that, “Location search results … are intended to be interpreted as anywhere within a several-hundred-meter-wide circular area - not the center point of the circle itself.”

I think that's news to most people.

Sprint went on to tell the Review-Journal that it can help the police understand when there is inaccurate location information coming from their cellphones, but “as for private citizens who use the technology to track their lost or stolen cellphones, there's nothing the company can do beyond educating them,” Sprint said. In other words, Dobson may still receive knocks on his door at all times of night.

Sprint's statement somewhat begs the question of what "inaccurate location information" means - being anywhere within a several-hundred-meter-wide circular area seems pretty inaccurate to me to begin with. Does Sprint mean that if the circular area displayed to the police is a several-thousand-meter-wide circular area it will help reduce it to a several-hundred-meter-wide circular area?

Sprint also told the paper, “We sincerely regret the inconvenience experienced by Mr. Dobson."

The Review-Journal found that Dobson’s experience is not unique. According to the paper, the same "knock at the door" has happened to folks living in New Orleans, Louisiana, Decatur, Georgia and San Antonio, Texas, all involving Sprint phones.

I wonder if Sprint sincerely regrets the inconvenience experienced by them, too.

Navy Minesweeper Runs Aground: Digital Map Error May Be Involved

The Defense News reported over the weekend that the minesweeper USS Guardian which ran hard aground on 17 January and remains stuck on a reef within the protected Tubbataha Reefs Natural Park in Philippine waters may have been following a digital navigation map that “misplaced the location of a reef by about eight nautical miles.”  As a result of the grounding, U.S. Navy ships have been ordered “to operate with caution when using [National Geospatial-Intelligence Agency]-supplied Coastal Digital Nautical Charts due to an identified error in the accuracy of charting in the Sulu Sea.”

The U.S. Navy is currently trying to minimize the damage to the reef, which is in a Unesco World Heritage restricted zone.  So far there have been no reports of fuel or oil leaks from the ship, although the ship is reportedly taking on water.  However, the U.S. Navy can expect to pay heavy fines any damage caused to the reef.

A few years ago, the British Maritime Accident Investigation Branch (MAIB) issued a warning to commercial ship operators about the dangers of relying too much on electronic navigation charts.

New Computer System Confuses Paternity

A story at The Tribune-Democrat last week reported that “the Division of Vital Records at the [Pennsylvania] Department of Health, which was switching to a new computer system” had sent out official birth certificates to 500 families that incorrectly listed the name of the father.

According to the story, the names are correct on the state’s main computer system, but when the Division of Vital Records “went to print out the new birth certificates, data for the father's first and last names were pulled from the wrong fields, which caused the documents to be filled out incorrectly.”

The state is telling those families that received the incorrectly printed birth certificates to send them back and they will get new ones.

And as far as I can tell from looking through the various news reports, the Division of Vital Records spokesperson didn’t bother with expressing “it regrets the inconvenience” tagline. How refreshingly honest.

This Week in Cybercrime: Hackers Build Better Mousetraps

U.S. Military Wants Ability to Jump Air Gaps, Attack Isolated Systems

According to a 15 January report by Defense News, the U.S. Army is looking to create sophisticated new techniques in cyberwarfare that solve a problem created by a well-known moment of success. It is looking for a way to remotely penetrate the defenses of industrial control systems—even if they are supposedly isolated from the Internet by so-called air gaps. Stuxnet, a cyberwarfare tool unleashed by the United States and Israel, used multiple zero-day exploits to inject malicious code that caused centrifuges at Iran’s Natanz nuclear enrichment facility to spin out of control. But it wouldn’t have gotten in the door if someone hadn’t carried it in on a USB flash drive. In the wake of revelations about the cyberattack, operators of secure systems such as Natanz have stiffened their security. Among the new protocols are bans on connecting thumb drives and other external storage devices to ostensibly secure systems. So now the Pentagon is interested in new ways to infiltrate isolated computer systems without gaining physical access. Defense News cites sources familiar with the program who say that the Army’s Intelligence and Information Warfare Directorate (I2WD) met with representatives from about 60 organizations to start figuring out how to, for example, send malicious code through the air into an enemy facility from a van parked outside or a drone hovering far above. 

Pay Attention, Class

Speaking of security updates, administrators at an unnamed U.S.-based power plant clearly didn’t get the memo. The U.S. Computer Emergency Readiness Team (CERT) reported in a just-released quarterly report that the power generating facility was shut down after malware infiltrated its turbine control systems and engineering workstations. The agency, which is part of the U.S. Department of Homeland Security, wouldn’t reveal the name, location, or type of plant, but said that the malicious code was introduced by a contract employee using a USB drive to perform software updates. And get this: None of the computers were equipped with antivirus software. Why, you ask? The reasoning, at least until recently, was that because industrial control systems in such facilities aren’t connected to other networks, malware couldn’t get in.

The problem wasn’t discovered until the contractor noticed glitches in the operation of the USB drive. A cursory check by the IT staff at the power plant revealed that it was infected with a two different types of malware. CERT says it removed the malicious code from the control systems and workstations and offered some recommendations for tightening security there. I imagine the first recommendation was: Get a clue.

Is Your Identity Worth Stealing?

According to an old saying, beggars can’t be choosers. But it seems that thieves have no such governing principles. A Security Week article reports the discovery of a new phishing technique that courts a preselected group of victims and doesn’t bother infecting the machines of people who are not on the so-called “bouncer list.” According to researchers at EMC’s RSA Security division, attackers begin with a list of email addresses and assign each person on the list a unique user ID. When someone stumbles upon the Web page hosting the malware, the site first checks to see if the person has been assigned an ID number. If so, the browser is directed to the phishing page; if not, the user is shown a “404 page not found” message. Being selective, say security experts, allows the perpetrators of such schemes to attack many “quality” victims without setting off the alarms that would be triggered by casting a wide net. The RSA researchers say each of these schemes typically targeted 3000 people. “Obviously quality data fetches a higher price in the underground,” Daniel Cohen, RSA’s head of business for online threats, told Security Week. He added that these attacks are most likely the work of someone looking to sell the information for profit rather than an illicit end user.

Malware Comes Calling Via Skype

As if phishing schemes and other come-ons weren’t leading to enough online havoc, CSIS Security Group, a Denmark-based IT security firm, has reported in a blog post that Shylock, a malware program designed to steal credentials for online banking accounts, has been armed with a new propagation method. A new plug-in added to the program this week allows it to send messages and files through Skype, then cover its tracks by deleting them from Skype’s history folder. Addding to the plug-in’s stealth is its ability get in and out without triggering the warning and confirmation request that a user normally sees when a third-party program tries to connect to Skype. Researchers already knew that Shylock could copy itself to removable drives and local network shares

Observers suspect that the move to use Skype as a transmission mechanism is related to Microsoft’s announcement that it plans to scrap its MSN Messenger service on 15 March. Microsoft advised users to switch to Skype. Also important, from the cybercrook’s perspective, is the ability to use Skype to reach any point on the globe instead of being mostly limited to small regions because users of infected machines tended to connect with a limited circle of friends.

Hacker Prosecutors Face Scrutiny

On 11 January, Internet pioneer and activist Aaron Swartz committed suicide at age 26. He was facing the prospect of a 35-year prison sentence if convicted of violating the United States’ federal Computer Fraud and Abuse Act (CFAA).  In the wake of Swartz’s death, the prosecutors in the case—and MIT, whose systems Swartz used to pull off the misappropriation of thousands of subscription-based scholarly papers—have been tried in the court of public opinion. Swartz supporters and other observers say the potential punishment did not fit the crime.

In a petition on the White House's website started on 14 January, some legal experts indicated their desire to see the government initiate a review of the CFAA that would result in a more nuanced application of the 1986 law. The statute “makes it illegal to knowingly access a computer without authorization, to exceed authorized use of a system, or to access information valued at more than $5,000.” But the petitioners note that the law was originally intended to bring the hammer down on hackers aiming to steal for personal gain or to sabotage systems. Neither of those motives was behind Swartz’s caper, they point out. "The government should never have thrown the book at Aaron for accessing MIT's network and downloading scholarly research," the Electronic Frontier Foundation (EFF) said in a 14 January blog post. Hanni Fakhoury, staff attorney at EFF, told Computerworld that “Over the years, creative prosecutors have taken advantage of the law and applied it to situations that it was never meant to tackle.” 

F-35 Software: DoD's Chief Tester Not Impressed

Last September, U.S. Air Force Maj. Gen. Christopher Bogdan, the then incoming director of the troubled  F-35 program, said that he was not optimistic that all the program's current problems—especially those related to software, which has long been a sore point (pdf)—would be fixed in time to meet the services’ planned initial operational capabilities, beginning with the Marine Cops in about 2 years. The 2012 Annual Report (pdf) on major defense acquisitions, by the Department of Defense's Director of Operational Test and Evaluation, J. Michael Gilmore, isn’t likely to increase Bogdan’s optimism any.

In his report, Gilmore states that in regards to operational suitability, the F-35 currently “demonstrates [a] lack of maturity… as a system in developmental testing and as a fielded system at the training center.” While Gilmore’s report details a host of other engineering-related issues as well, software remains a major area of concern.

For instance, the report states that, “Software delivery to flight test was behind schedule or not complete when delivered” and that, “Block 1 software has not been completed; approximately 20 percent of the planned capability has yet to be integrated and delivered to flight test.” Block 1 software, which provides initial training capability, was first flown in November 2010.

Read More

Red October Detected but Still Dangerous

Like the fictional nuclear submarine with the same name, the Rocra or Red October computer espionage campaign was designed to escape notice. It operated undetected by most antivirus products until unnamed researchers discovered it five years after it began stealing data on workstations, mobile devices and networking gear. Kaspersky Lab said it was alerted of the Rocra attacks by a partner in October; that’s when it began tracking the campaign’s myriad tentacles, which extended mainly to Eastern Europe, former Soviet nations, and Central Asian countries. In a report released today, Kaspersky described the cybercrime operation as, “still active with data being sent to multiple command-and-control servers through an infrastructure which rivals the complexity of the Flame malware.”

Kaspersky researchers say they haven’t found any connections between Rocra and Flame, but like Flame, the new campaign comprises more than a thousand unique malware files that carry out tasks such as reconnaissance, scanning for new machines to infect, recording keystrokes and screenshots, and capturing data in e-mail and USB drives. According to Kaspersky’s Threatpost blog:

“The command and control infrastructure behind this campaign is made up of 60 domains and a number of server host locations in Russia and Germany, most of which act as proxies in order to hide the true C&C server. Kaspersky said it was able to sinkhole six of the domains and watch them over since Nov. 2. More than 55,000 connections were made to the sinkhole from close to 250 IP addresses. Most of those IP addresses were in Switzerland, Kazakstan, Greece and Belarus; there are victims in 39 countries.”

This level of sophistication, say the researchers, requires resources that bespeak the participation—or at least the purse strings—of a nation-state. Still, Kaspersky wouldn’t go so far as to make that claim—even though the targets of the attacks, which include oil and gas companies, aerospace and nuclear research firms, and trade and commerce organizations, suggest a country looking to improve its fortunes or gain strategic advantage by getting its hands on proprietary information without paying for it.

Read More

IT Hiccups of the Week: BATS Global Long-hidden Programming Errors

It’s been another relatively quiet week on the IT glitch front. We start off, again, with news of errors involving a stock exchange—this time ones that have avoided detection for four years before being discovered.

BATS' Undiscovered Errors

According to Bloomberg News, BATS Global Markets, the third-largest U. S. stock exchange, announced on the 9th of January that it had discovered during internal system audits two situations where “its computers allowed trades that violated [U.S.] rules intended to ensure all investors get the best prices for equities.” In one case, a programming error in BATS’ Matching Engine that matches “orders for two Bats equity exchanges and an options venue allowed some trades to occur at prices inferior to the best available bid or offer.” In the second case, another programming error allowed short sales that violated trading rules. You can read the details in the BATS press release.

A story at the Financial Times said that the errors first occurred in October 2008 and weren’t discovered until about a week ago. Some 436,528 trades were affected, and “customers lost more than $420,000 from inferior prices they received,” the FT reported. BATS CEO Joe Ratterman defended how BATS tests its systems, telling the FT that the affected trades were “anomalies,” and implying that, given the complexity of the exchange operating environment, no one should be surprised by these issues. At least he didn’t call his programmers “knuckleheads.”

Ratterman did try to deflect responsibility, placing the blame on government regulators for creating the complexity. “The regulatory environment is getting layered with additional guidelines and requirements and what you end up with is a fair amount of rules . . . as you layer on over time, it gets more complex,” Ratterman explained. Ratterman conveniently neglected to mention that if there weren’t so many technical issues cropping up (as well as unbridled growth in complex and risky financial engineering instruments few understand), maybe there wouldn’t be so many regulations being piled on the exchanges.

While in artful dodger mode, Ratterman added that customers hadn't complained about being disadvantaged, as if that is an excuse. That said, at least Ratterman told the FT that BATS wants to compensate customers affected by the programming errors.

BATS is understandably defensive about this latest issue—even though it was small from a financial standpoint—given the major hit the exchange took to its reputation last March when it botched its own IPO. That screw-up helped Standards & Poor's decide to assign BATS a BB- corporate credit rating late last year; the S&P in its announcement said it believed “that BATS is highly vulnerable to operational risk.”

Forewarned is forearmed.

RIM Takes a Hit

Speaking of reputation hits, the last thing that RIM wanted last week was being associated with yet another service outage, even if it was relatively minor. According to a Wall Street Journal report, an apparent Vodafone U.K. router error caused e-mail and instant-messaging services throughout Europe, the Middle East and Africa to be affected for about five hours on Friday. Vodafone U.K. BlackBerry customers were the worst hit. Voice and text messages were not affected, however.  Vodafone said in an emailed statement that, “We apologize to customers for any inconvenience caused.

RIM is hoping that its new BlackBerry 10, scheduled for launch by the end of the month, will turn around its fortunes. With that in mind, it certainly doesn’t need any visits from ghosts of problems past.

NAV Canada Regrets the Inconvenience

Finally, last Thursday evening, flights into and out of Toronto’s Pearson International Airport were delayed and some were canceled when a flight planning system computer belonging to NAV Canada, the country's civil air navigation services provider, crashed.

Everything was back to normal by 0300 local time Friday morning, a Canadian Press story reported. NAV Canada said that it “regretted the inconvenience,” and although it wasn’t sure what caused the problem, it was “looking into the matter to make sure it never happens again.”

That's most reassuring, given that they don't know what caused the crash yet.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Load More