Risk Factor iconRisk Factor

Ohio Bank Erroneously "Files" Many of Its Depositors for Bankruptcy

IT Hiccups of the Week Last week saw an uptick in the number of reported IT problems, slip-ups, and complications. Among the more mind-boggling was the revelation that Fifth Third National Bank of Cincinnati informed its customers last week via a letter that, “We inadvertently reported that you filed bankruptcy to the following [four major U.S.] credit bureau reporting agencies.”

Oops.

What the Fifth Third National Bank’s letter didn’t tell its customers was that their "bankruptcy" status was sent to the credit bureaus Experian, TransUnion, Equifax, and Innovis last October because of an erroneous software update to its IT systems. The bank found the error in November, but it wasn't fixed until December. The letter also didn’t explain why the bank decided to wait until last week to inform its customers of the problem.

Fifth Third National Bank refused to tell inquiring news agencies exactly what happened, nor how many of its customers the bank falsely reported were in bankruptcy proceedings; it would only say it was a “limited” number. However, a couple of news reports placed the number at over 20 000.

The bank did put out a statement saying that it corrected the false information with the four credit bureaus, and that if a customer did not have a credit issue before receiving the letter, they “should” not have one now. It also stated that, “The accuracy of our customers’ credit history is important to us, and we will ensure that no customer will suffer negative impact.”

Well, maybe no new credit problems because of the October foul-up, that is.

For those long time readers of the Risk Factor, you may remember that Fifth Third Bank was fined over failing to follow established security protocols in the massive TJX VISA credit card breach in 2007.

Major Credit Payment Outage Hits Israel

At first, it looked like a major cyberattack was occurring. When credit card purchases and other financial transactions across Israel couldn’t be completed last Thursday morning, Israel’s Shin Bet security service was quickly called in to investigate. Alas, the Times of Israel reported, it was just another software update-related problem.

The Times reported that there was a fault in the “daily update from SHVA—the automated banking service that provides communication and computer systems for many of the credit card and banking services in Israel—which set the dollar exchange rate to zero.” As a result, payment terminals that accepted foreign currency “were stumped” by the zero value, and crashed.

A Jerusalem Post story provided a bit more information, saying that the problem was traced to an error in “an overnight software update that blocked communications between Shva, the Automated Banking Services clearinghouse owned by the banks, and Retalix, which provides the payment terminals to the [store] chains.” The update error was corrected around noon local time, and things were back to normal by early afternoon.

New California Healthcare Worker Licensing System Causing Unacceptable Delays

Another new California state IT system goes live, and just as predictably, another foul-up quickly follows. This time, it was the Department of Consumer Affairs' $52 million catchily-titled BreEZe system. The online licensing and enforcement system, which was rolled out last October, is meant to streamline the operations and increase the efficiency of the 37 boards, bureaus and committees under the jurisdiction of the Department of Consumer Affairs. The improvements, it was hoped, would allow “online license applications and license renewals for registered nurses, physician assistants, doctors and respiratory care practitioners” to be a, well, breeze.

Unfortunately, the BreEZe system has been anything but for 10 of the 37 agencies currently using it. For one, the system doesn’t yet accept online applications because of a host of unresolved software issues. And the Department can’t say when BreEZe will be able to do so. Until it does, nurses, physician assistants, etc. must send in paper applications, which then have to be manually transcribed by Department of Consumer Affairs staffers and temporary workers added by the Department in order to cope with an ever-increasing pile of applications.

Newly minted nursing school graduates have apparently been hardest hit by the backlog. Many have received job offers from hospitals and other healthcare providers, but cannot practice without a license when licensure requires confirmation that the candidate has passed a state exam. The Department of Consumer Affairs schedules and administers the exams, and processes the results, but is falling further and further behind in scheduling the tests because of the problems with BreEZe. Other healthcare workers who are already licensed but need to renew their credentials are reportedly encountering snags, too. The total backlog of applications is now said to have reached over 4000.

The problems with BreZe are now reaching a point, the Modesto Bee reports, where “some hospitals aren’t able to fill gaps in staffing or meet nurse-to-patient ratios required by state law.” The shortages have grown so critical that some hospitals are paying other facilities to take their patients.

A spokesman for the Department of Consumer Affairs told the LA Times, in a classic government statement of the obvious, “Our BreEZe computer system is not doing everything it was designed to do yet.” Why the system was ever rolled out before being able to reliably perform one of its most basic functions is anyone’s guess. 

An audit of this latest California IT disaster has been called for, but whether it ever happens remains to be seen.

Toyota Recalls 2 Million Buggy Vehicles

Finally another of the more newsworthy foul-ups was Toyota’s recall of 1.9 million Prius hybrids for a software flaw, which was discussed in a separate Risk Factor post last week.

Subsequent to that announcement, Toyota also announced a recall of another 295 000 vehicles involving both its Toyota and Lexus brand vehicles over an electrical component fault in their brake actuators. Reuters reports that the fault could increase the resistance in the fluid pressure in each wheel cylinder, which could cause the vehicles’ stability control, traction control and anti-lock brakes to become “inoperative.”  The vehicles affected include 2012 and 2013 model year Lexus RX350 crossover vehicles, 2012 and 2013 Toyota Tacoma trucks, and 2012 Toyota RAV4 SUVs.

Fifth Third National Bank of Cincinnati Files Bankruptcy for Thousands of Customers

Fifth Third National Mistakenly Reports Customers’ Bankruptcy

Fifth Third Bank Say Sorry for Bankruptcy Mistake

Fifth Third Tells Customers Not To Worry

Better Business Bureau Tells Fifth Third Bank Customers to Check Their Credit Scores

Software Update Error Crashes Israeli Credit Payment Terminals

Credit Cards Rejected Throughout Israel

Credit Card Glitch Blocks Transactions

Glitch Causes Mass Credit Card Processing Problems

California’s New Consumer Affairs BreEZe Licensing System Becalmed

Nursing Graduates Frustrated By New Licensing System

Nursing Graduates Face Delays in Taking State Licensing Exams

Audit Called For in Licensing Board System Disaster

In Other News…

Toyota Recalls 295 000 Vehicles Due to Brake Electrical Fault

Microsoft Blames Bing Chinese Censorship on System Error

MIT Tells Some Applicants They Weren’t Accepted After All

Kansas Department of Labor Computer Error Shorts Auto Workers’ Payouts

Miami County, Indiana, Server Failure Takes Out Government Online Services for Week

Online Fashion Group Asos Sees Order Meltdown

Alberta, Canada, Tourism Website Experiences Camping Reservation Problems

Virginia E-ZPass Sensor Issue Hits Hampton Roads Tunnel Drivers

Gas Sells For One Penny at Illinois Gas Station

Victoria Australia Police “Computer Error” Blamed For Child Being Beaten to Death   

GPS Monitoring Alerts Overwhelm California Probation Officers

Illustration: iStockphoto

U.S. Gives Cybersecurity Advice to Critical Infrastructure Operators—But No Rules

This Week in Cybercrime The U.S. government, finally realizing that it has to take action to ensure a minimum level of cybersecurity in networks that manage the nation’s energy, water and financial services, presented the Framework for Improving Critical Infrastructure Security on Wednesday. The document, which was put together by industry and government experts, is a compilation of cybersecurity standards and best practices; it is the result of the year-old Executive Order 13636, under which President Barack Obama directed operators of critical infrastructure to provide guidance for defending their networks.

“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said in a statement. “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”

The 41-page document describes itself as a complement to industries’ existing risk management practices. What remains to be seen is whether this “guidance” will make firms that have minimal safeguards in place immediately take action to update or reconfigure their systems. Something tells me that a book of suggestions without force of law will not do the trick.

Industrial Control Systems Unguarded

Security researchers have been taking creators of industrial control systems and devices like programmable logic controllers to task for the abject lack of security controls that would prevent networks and the facilities they run to be taken over by hackers. But many products and systems remain insecure. That was the focus of a talk by researcher Jonathan Pollet, founder of Red Tiger Security, at the Kaspersky Security Analyst Summit in Punta Cana, Dominican Republic, on Tuesday.

Referring to the maddening state of play in industrial cybersecurity, he said, “It’s like hacking in the 1980s and 1990s,” when IT software and hardware vendors typically buried their heads in the sand, hoping that researchers presenting vulnerability reports would eventually go away if the companies ignored them long enough. According to a Kaspersky Threatpost article, Pollet recalls, “being at a Texas amusement park recently and the ride he was waiting for was malfunctioning. The operator told him the ride used a Siemens PLC as part of the control system, so he went home, got his laptop, returned and was able to debug the software, find the problem and fix it and get the ride going again.” 

Did he have credentials giving him access to the system? No. Did he face much difficulty in reconfiguring the control system for a machine that thousands of people would ride that same day? Nope. Now imagine that scenario if Pollet’s intentions had been nefarious.

That anecdote was but one example of the widespread lack of authentication, failure to use encryption, and lack of monitoring in critical systems—even after security holes are reported. Pollet said that when he does hear from industrial control and automation vendors, they present excuses such as protocols aren’t ready or that security is difficult to build in.

“All these excuses aren’t really excuses,” he said during his talk. “With the current software and hardware we have, there’s no reason we can’t have these systems secured.”

Automakers Keep Cybersecurity Discussions in Park

In another talk at this week’s Kaspersky Security Analyst Summit, security researchers Charlie Miller and Chris Valasek reported that a year after they published a detailed paper showing a series of cyberattacks that enabled them to control the steering, braking and other functions in some cars, they’ve heard nary a word from automakers about the exploits. In other words, Miller and Valasek have had neither the opportunity to explain which weakness the attacks take advantage of, nor the chance to help design systems to prevent or at least detect intrusions. Miller, referring to the automobile manufacturers, said, “We have no idea what they’re doing. They could be building something, but it could be years down the line.”

By the Power Vested In Me by Me, Myself, and I…

Dozens of phony SSL certificates spoofing legitimate ones for banks, e-commerce sites, ISPs, and social networks, were discovered this week. The unsigned certificates could put people who use apps or other software that access the Internet—but don’t necessarily check the legitimacy of SSL certificates—at risk for man-in-the-middle attacks. Netcraft, a British security firm, provided details about the bogus certs on its blog.

Apparently the various certificates have different purposes. For example, a fake YouTube cert blocked residents of Pakistan from accessing the site, a phony iTunes cert was a linchpin in an online scam, and a fraudulent Facebook cert redirected users to a phishing site.

In Other Cybercrime News…

Toyota Recalls 1.9 Million Prius Hybrids Over Software Flaw

Faulty software in Toyota's popular Prius hybrids has forced the Japanese automaker to recall 1.9 million of such vehicles worldwide. The huge recall—representing more than half of all Prius cars ever sold—shows how Toyota has adopted an increasingly cautious stance as major automakers struggle with the rise of software-related car problems.

Read More

(Un)Cover Oregon: State’s Healthcare Exchange Website Still Inoperable Four Months After Planned Launch

IT Hiccups of the WeekLast week was a rather slow week with regard to the number of reported IT errors, miscalculations, and problems. So we decided to start off this week’s IT Hiccups edition with a status check of some state Affordable Care Act (ACA) website implementations.

While most of the major snafus that plagued the operations of the U.S. government’s ACA website have been taken care of (making changes to policies still seems an issue, however), IT issues associated with several states’ implementation of the ACA continue. A nice summary accompanied by myriad news links to the difficulties in four states—Oregon, Minnesota, Massachusetts and Maryland—was provided in a ProPublica article published last week.

Oregon’s healthcare exchange, Cover Oregon, is having the worst time of it. Four months after its originally planned launch date of 1 October 2013, the $220 million site still hasn’t signed up one person for healthcare insurance.  Some 35 000 Oregonians have been enrolled in Cover Oregon via paper applications; the state has had to hire 400 workers, at a cost of $4 million, to process those applications. It is still unclear, however, when (or if) the Cover Oregon’s website will get up and running.

Read More

Virtru Crafts Countermeasures to Combat E-mail Snooping

This Week in Cybercrime Anyone who still thinks that e-mail is a secure method for sending and receiving information, raise your hand. Well, it isn’t. Now, put your hands down and pay attention. When e-mail was first created, security was an afterthought. But in the wake of revelations about spying the United States, China, and others, companies are attempting to remedy that by introducing new methods for encrypting messages.

One such company, a startup called Virtru, was founded by a former NSA data security researcher named Will Ackerly. He says the company’s secret sauce is in a browser extension that handles the encryption and decryption of content right on the device. It allows computer users to send secure messages through Gmail, Outlook, and Yahoo webmail interfaces without an external client. The software instantly encrypts whatever the user types in the body of an e-mail. The result: even the Web mail provider only sees encrypted content. Messages are encrypted in the Trusted Data Format (TDF). Ackerly knows quite a bit about TDF; he helped create the open-source security format in 2008 while still in the employ of the NSA.

Ackerly took the additional step of featuring elliptic curve Diffie-Hellman ephemeral key exchange, which means that Virtru generates a new Secure Sockets Layer, or SSL, key for every new e-mail session. Old ones are discarded. So if a hacker somehow gains access to a key or a government agency demands that it be turned over, its value is limited because it wouldn’t decrypt messages sent or received in previous sessions. This is meant to prevent a repeat of what happened to Lavabit, Edward Snowden’s former e-mail service provider. Lavabit fought, but ultimately lost, a court battle over whether it had to turn its SSL key over to the U.S. government, giving the Feds the ability to read all of its customers’ messages.

Virtru is also thinking about letting its customers manage their own keys. This would give a Virtru user the ability to limit access in terms of who can see a message and for how long. A sender could revoke a key and block access to a message, or rig it to expire at a preset time. Forwarded messages would remain encrypted and unreadable unless the new recipient receives authorization from the original sender.  

Ackerly says Virtru plans to offer the service, including all the aforementioned features, for free. According to a Computer World article, the company will generate revenue by “licensing its key management software to businesses, as well as offering other management and access visualization tools for encrypted email. Mobile clients are in the works as well, for Android and iOS.”

Target (and Its Customers) the Victim of Lax Network Security

Investigators are learning more about the data breach that let cybercriminals walk away with the credit and debit card information of tens of millions of Target customers over the holiday shopping season. And what they’re finding is troubling. The upshot: It’s becoming abundantly clear that the incident was not as much due to the genius of the hackers as it was to Target’s poor security controls.

Security blogger Brian Krebs, who originally broke the story of the Target breach, revealed on his blog that hackers gained access to Target’s network using login credentials they had stolen from a heating, ventilation, and air conditioning company. That vendor, Fazio Mechanical Services, was given access to Target’s network so that it could perform tasks such as remotely monitoring stores’ temperature and energy consumption. But it seems the retailer neglected to wall off the parts of its network containing sensitive payment card data.

Krebs says that according to sources close to the investigation, Target’s insistence that the company was the victim of a sophisticated cybercriminal campaign is purely make-believe. Once the hackers got their hands on Fazio’s username and password, they probed the network undetected, tested their malware on a few of Target’s point-of-sale devices, and eventually uploaded the malware to most of the cash registers connected to the network. The operation did not require the services of a criminal mastermind.

But it should have. The Payment Card Industry Data Security Standard, which companies like Target are required to follow, specifically says that companies should segment their networks and isolate sensitive cardholder data.

Facebook Domain Takeover Thwarted

Facebook celebrated its 10th birthday this week. The Syrian Electronic Army (SEA), decided to crash the party by attempting to hijack the social media site’s domain name and reroute it to a server under the hacker group’s control. The cybercriminals managed to get as far as modifying the WHOIS information for facebook.com, so that the domain's listed contact address was in Damascus, Syria. But they were thwarted in the more crucial step of pointing the website to one of their own servers because Facebook’s domain name registrar, VeriSign, has a registry lock feature requiring additional verification before making such a change.

You would think that requiring additional verification would be de rigueur, but the SEA has gained wide notoriety for successfully taking over domain names such as nytimes.com, sharethis.com, huffingtonpost.co.uk, and twitter.co.uk. (For a detailed account of such a domain name theft, read Steven Cherry's 2005 account of the attack on New York City ISP Panix.) In this instance, just as with the hacker group’s previous takeover campaigns, they attacked the target via a third party. The cybercriminals managed to gain some level of admin control at MarkMonitor, a domain name management company. The MarkMonitor hack was what allowed the SEA to change facebook.com’s WHOIS address.

In Other Cybercrime News…

 

F-35 Software: DoD's Chief Tester Remains Unimpressed

IT Hiccups of the WeekLast week was a very quiet week in regard to reported IT-related system snarls, snags and snafus. With yesterday being ground-hog day here in the U.S., and in keeping with the spirit of the movie of the same name, I have decided to return once more to F-35 Joint Strike Fighter and its continuing software “challenges.”  

Last week, the Department of Defense's Director of Operational Test and Evaluation (DOT&E), J. Michael Gilmore, publicly released his annual report on major U.S. defense acquisitions. Gilmore reiterated his frustration with the lack of reliability and supportability of software in major defense support and weapon system programs. While Gilmore’s report highlighted many defense programs' software problems, those related to the F-35 continue to hold center stage.

For instance, in October 2013, a new increment of Block 2B software—the block that provides initial combat capability—that was supposed to include many fixes to previously identified deficiencies, began flight testing, the report says. However, the DOT&E report goes on to say:

“Initial results with the new increment of Block 2B software indicate deficiencies still exist in fusion, radar, electronic warfare, navigation, EOTS, Distributed Aperture System (DAS), Helmet‑Mounted Display System (HMDS), and datalink. These deficiencies block the ability of the test team to complete baseline Block 2B test points, including weapons integration.”

Although plans call for the military to “complete Block 2B fight testing in October 2014...there is no margin for additional growth to meet that date,” the DOT&E report found. “Projections for completing Block 2B fight testing using the historical rate of continued growth ... show that Block 2B developmental testing will complete about 13 months later, in November 2015, and delay the associated fleet release to July of 2016.”

In addition, the DOT&E report notes that there are still problems with the F-35's Block 2A software, i.e., the block that is “designed to provide enhanced training capabilities to the Integrated Training Center at Eglin AFB, Florida, and to the first operational units.”

The F-35 test teams found:

“deficiencies in the aircraft sensor operations, particularly the Electro-Optical Targeting System (EOTS), aircraft communications capabilities, pilot electronic interfaces, and the aircraft Caution, Advisory, and Warning System. Although the software was intended to provide more mission systems capability, poor sensor performance and stability, excessive nuisance warnings, and disproportionate pilot workload required for workarounds and system resets made the software of limited utility for training. In any type of operational mission scenario, the performance of the software would be unacceptable.”

These and other software issues, e.g., related to the F-35's Autonomic Logistics Information System (ALIS)—as well as non-software related problems—notwithstanding, neither the U.S. military's nor its international partners’ enthusiasm for the F-35 has diminished. The Marine Corps, for instance, insists it's still planning for a 2015 IOC (initial operating capability) for its F35B version, while the U.K. says it is close to placing its first order and South Korea is expected to do so later this year.

The F-35 Program Office complained that while Gilmore’s report “was factually accurate” it “did not reflect concerted efforts under way by this office and industry to address software, reliability and maintenance issues,” Reuters reported. “Of course, we recognize risks still exist in the program, but they are understood and manageable,” the Program Office insisted.

Gilmore may need to remind the F-35 Program Office (again) that the DOT&E office deals with facts, not promises.

Gmail Glitch May Have Deleted Emails

I noted in last week’s IT Hiccups that Gmail and many other Google online applications including Calendar, Talk, Drive, Docs, Sites, Groups, Voice and Google+ Hangouts suffered an outage on Friday, 24 January that lasted a little more than an hour.  While Google says that the outage—caused a “software bug” that resulted in a misconfiguration of its systems—was quickly fixed, apparently there was some collateral damage that wasn’t immediately discovered.

As reported by the Verge, some Gmail users received a message early last week that stated, “You may have been impacted by a recent issue in Gmail that inadvertently caused some actions (e.g. delete, report spam) taken while viewing a message to be applied to a different message. The issue occurred between January 15 and January 22 and is now fixed. We encourage you to check your Trash and Spam folders before February 14, 2014 for any items you did not intend to delete or mark as spam and move them back to your inbox. We apologize for any inconvenience.”

It is not clear the exact number of Gmail users that were affected (Google indicates no more than 0.2 percent of its users), since only some platforms (e.g., Google’s iOS app, on mobile browsers, and the offline version of Gmail) and only some users of those platforms were affected.

Aspiring Drivers in Ahmedabad, India Frustrated by Transport Office Server Problems

There are some universal experiences that bond all humans together, like the enjoyment of good food, hearing good music, and wasting one’s time waiting at a department of motor vehicle office.  As reported by the Ahmedabad Mirror, we can all no doubt empathize with the 800 Amdavadis who had booked in advance a time to come in and apply for their learner’s license but “were forced to cool their heels for hours at Ahmedabad Regional Transport Office near Subhash Bridge” because of a server problem.

The Mirror story stated that the server problem occurred last Thursday morning, and officials at the RTO had hoped to resolve the problem by noon. However, this didn’t happen; the problem wasn’t fixed until late Friday. Meanwhile, RTO officials told the disappointed applicants who had waited right through the time the office closed on Thursday afternoon to come back and wait again this week.

F-35 Joint Strike Fighter Software Problems Linger On

F-35 Software Remains Seriously Flawed

Software Issues May Affected Marine F-35 Planned IOC

What’s Likely Behind F-35 Software Issues?

F-35 Program Office Says Its “Laser-focused” on Software Problems

Some Gmail Users May Have Had Email Accidentally Deleted

Gmail Bug Deletes Some Users’ Emails

Gmail Glitch Affects Emails

Only 0.2 Percent of Gmail Users Likely Had Emails Deleted

Aspiring Drivers in Ahmedabad, India Told To Come Back After Server Shuts Down Testing

RTO Server Crash Frustrates Learner’s Driving License Applicants

Of Other Interest …

Software Problems Distorting UK Further Education and Skills Statistics

Problems Plague Boston’s New MBTA Rail Cars

Citibank Payment Problems Affect UK Tax Filings

Successful State Health Exchanges Worry over ACA Flaws

Multi-Year NHS Glitch Causes £3.4 million in Over-payments to Scottish Dentists

Computer Issue Causes Urgent Jury Summons in Delaware

Photo: U.S. Air Force

App Proves Adage: Just Because I’m Paranoid Doesn’t Mean They’re Not Watching Me

This Week in Cybercrime A team of researchers at Rutgers University in Piscataway, N.J., has developed an Android app designed to heighten awareness of just how frequently cellphone users’ location information is accessed by apps and other software. "All apps that access location need to request permission from the Android platform," Janne Lindqvist, who led the research project, told Computerworld. "The problem is that people don't pay attention to these default disclosures."

The team noted that although Android phones feature GPS indicator that flashes on and off when an app is trying to access the user's location, most people never notice it or simply misunderstand the message being conveyed by the icon.

Their app—which they tested on several Android devices running apps including Firefox and Tunein Radio—bridges that communication gap by flashing a message across the handset’s screen: "Your location is being accessed by [app name]."

The idea is to get consumers thinking about why apps such as Angry Birds and Dictionary.com collect location and device ID information and to find out whether awareness of this data collection will affect users' attitudes towards apps. As expected, participants in the study [pdf] featuring the app were surprised at how often some apps accessed their location, and that some other apps accessed their location at all.

The team says it is putting the finishing touches on its app (currently known as the RutgersPrivacyApp) so they can make it available at the Play Store.

Which Retail Stores Haven’t Been Hacked?

Last week, we asked which chains, other than Target and Neiman Marcus, had seen their point-of-sale systems give away the store with respect to their customers’ credit card information. We noted that security researchers had already uncovered evidence that half a dozen more companies had had their digital pockets picked. But apparently that was the tip of the iceberg. It was revealed this week that payment card information has been stolen from several dozen retailers’ networks since the end of October. The culprit in the overwhelming majority of those cases was a memory-scraping malware program called ChewBacca. The program—so named because the Star Wars character appears prominently on the login page for the server that collected data from infected machines—also has a keylogger and installs an executable file that lets it survive system reboots.

Though ChewBacca was first identified by researchers at Kaspersky Lab in a December blog post, much of what we’ve learned about it since has been uncovered by antifraud researchers at RSA. After analyzing the malicious code and its command-and-control infrastructure, RSA figured out that 32 of the 45 affected retailers are based in the United States; others are in Russia, Canada, and Australia. The researchers wouldn’t reveal the identities of the compromised retailers, saying only that they have advised the companies to report everything they know to the proper authorities.

Hackers R Us

An international law enforcement operation has netted the low-hanging fruit on the tree of online criminal activity. Officials proudly announced that they’ve snatched up 11 people in the United States, India, China, and Romania and have charged them with crimes based on their alleged involvement with websites offering e-mail hackers for hire. Authorities say the suspects—who were the operators of websites such as needapassword.com—or the sites’ clients were responsible for hacking into fewer than 10 000 e-mail accounts. Meanwhile, the cybercriminals that run phishing schemes aimed at gaining access to tens of thousands of inboxes at a clip go on unmolested.

Oracle’s Jedi Mind Trick: This Is Not a Security Flaw; It's a Configuration Error

Bad: Two vulnerabilities in Oracle’s older database packages allow hackers to access a remote server, view the server’s file system, and dump files—all without a password. Worse: More than two years after security researcher Dana Taylor reported the flaws, Oracle has yet to release a patch for one of them, and, according to Taylor, the patch belatedly created for the other didn’t actually fix the vulnerability. Worst—for Oracle, anyway—Taylor kept detailed notes on her interactions with the company.

3VILDATA Blogger Discovers Key to Making Good Modems Go Bad

Security researcher and blogger Andreas Lindh reported this week that hackers can take advantage of security holes in some USB modems and force the machines to send malware-laced text messages to any phone number or act as staging areas for spear-phishing attacks. Lindh declined to identify the manufacturer of the device upon which he carried out the exploit because he had yet to notify the vendor.

In Other Cybercrime News…

Aleksandr Andreevich Panin, a Co-Creator of the SpyEye Banking Trojan, Pleads Guilty

VPN Bypass Bug Recently Found to Affect Android Jelly Bean 4.3 Now Identified as a Problem for Android KitKat 4.4.

Gag Orders Related to U.S. Government Demands for Data from Telecom Companies Under the Foreign Intelligence Surveillance Act Have Been Partially Relaxed

Senators Question Intelligence Officials About Snowden, Domestic Surveillance

Issa, Five Other Congressmen Call For DNI Clapper’s Removal

 

How a Misplaced Decimal Point Led to €188 Million in Unintended Gov't Largesse

IT Hiccups of the WeekLast week was an unusually busy week across the global landscape of IT-related snafus, snarls and peculiar system interruptions. For instance, last Wednesday, quick-drying cement from a nearby construction site accidentally flowed into the London Underground’s Victoria line signal control room, significantly disrupting Central London Tube service for the day. Then, on Thursday, a human error during system maintenance caused a power outage that took out the automated train signaling system for three of New York City’s Metro-North lines, stranding thousands of the city’s train commuters for a good part of the evening. In light of these two events, I decided to start this week’s IT Hiccups with a software-cum-human error that occurred late last year, but only lately has been explained.

In mid-December, the Amsterdam Herald reported that Amsterdam’s tax office was trying to figure out how €188 million was mistakenly paid out in annual government rent subsidies to some 10 000 people instead of the expected €2 million or so. In some cases, people received as much as €34 000 in housing subsidies.

What made the error more disconcerting was that no one in Amsterdam’s tax office seemed to have noticed. The Amsterdam Herald quoted City alderman Pieter Hilhorst as saying, “How can it be that no alarms went off? ... It seems we’re able to pay out €188 million without realizing it.”

The investigation into the error ordered by Hilhorst recently disclosed that the software used by the Amsterdam government “calculates payments in cents rather than euros” and no one in the finance office seemed to have noticed the slight discrepancy. A story at Dutch News states that “all but €2.4m of the €188m in wrongful payments” has been recovered (while half of the remaining amount probably will never be paid back). Furthermore, says the Dutch News story, the city spent some €300 000 trying to understand and fix the situation. Other news reports state that the Amsterdam city council is putting more controls over its finance office to keep such an error from happening again.

It could have been worse: Amsterdam could have been launching a $125 million Mars Climate Orbiter and lost it because of a failure to convert from English to metric units.

China Suffers Web Outage It Blames on Hackers; Others Say it Was Self-inflicted

Last Tuesday, the New York Times and others reported that up to two-thirds of Internet traffic in China—text, audio, and video sent by hundreds of millions of people—was disrupted by what the Chinese government said was the work of hackers associated with the Falun Gong movement. The Times stated that, “The China Internet Network Information Center wrote on its official Weibo account that the outage was caused by a glitch in the Domain Name System servers that convert alphabetical website addresses into the numerical addresses of computers on the Internet. Instead of matching the names of popular Chinese sites with their proper addresses, the DNS servers instead redirected users to an address associated with the homepage of United States-based Dynamic Internet Technology.”

DIT, the Times states, “is best known for a software tool called Freegate that helps Internet users in China circumvent the government’s pervasive system of online censorship and filters.”

DIT denied any involvement in the outage, and said that it was more likely caused by a “misconfiguration” in China’s own Great Firewall Internet censorship program. DIT's contention was supported by Greatfire.org, which collects information pertaining to Internet censorship in China.

As of now, China is still claiming to be a hacking victim, although the government apparently is softening its accusations by saying it isn’t sure who is responsible.  

Gmail and other Services Experience Outage

On Friday, Gmail and many other Google online applications including Calendar, Talk, Drive, Docs, Sites, Groups, Voice and Google+ Hangouts went down at about 1410 EST and didn’t return until 1520 EST, Computerworld reported. Google, says Computerworld, stated that for about 25 minutes, “most” users of its online services were unable to access them, thereby potentially affecting hundreds of millions of users around the world.

 Google apologized for the outage, saying that “an internal system that generates configurations—essentially, information that tells other systems how to behave—encountered a software bug and generated an incorrect configuration. The incorrect configuration was sent to live services over the next 15 minutes, caused users’ requests for their data to be ignored, and those services, in turn, generated errors.”

On the same day, a different and pretty bizarre Google-related hiccup caused David S. Peck of Fresno, California, to receive thousands of no-subject, blank e-mails. According to this story at Time, “users who searched [in Google search on Friday for] ‘Gmail’ were led to a results page with a link that said ‘Email.’ Clicking that link created a new email with Peck’s address—dsp559@hotmail.com—already filled in.”

Tech Crunch, which first reported the story, has some interesting screenshots and other background information on the weird error.

Google, which fixed the problem by late Friday night, has apologized to Peck “for any inconvenience caused.”

Amsterdam Pays Out 100 Times More in Rent Subsidies Than Planned

Amsterdam Investigates Error that Causes €188 Million Benefits Overpayment

Software and Staff Blamed for Amsterdam Benefit Error

Amsterdam Error Caused by Software and Poor Staff Oversight

Two-Thirds of China's Internet Disrupted

China Blames Hackers for Internet Problems

China Internet Outage May be From Censorship Changes

Unclear What Caused China Internet Outage

Gmail, Other Google Services Experience Outage

Gmail and Other Services Go Down for Over an Hour

Google Apologizes and Explains Reasons for the Outage

Bizarre Google Bug Sends Unwanted E-mails to Hotmail Account

Google Glitch Sends Thousands of E-mails to One Man’s Hotmail Account

Of Other Interest …

Commuter Chaos as Quick-Drying Cement Fills Victoria Station Control Room

Human Error Blamed for Metro-North Train Delays

Auto Credit Cars Inadvertently Disabled by Software Problems

Telecommunications Services of Trinidad and Tobago Paychecks Delayed by Technical Error

Arkansas State Workers Receive Paychecks Early Due to Software Error

Russia’s Avia Center Refunds 800 Customers for Plane Ticket Glitch

Lloyds Banking Group Technical Issues Affect ATMs and Debit Cards Across UK

Apple Will Fix iOS 7 Random Reboot Issue

UK Screwfix.com Screw-up Gives Scrooge-Approved Bargains

Millions in Switzerland Charged Twice for Debit/Credit Card Purchases

Tech Problem Duplicates Visa Debit Payments at Bank of Ireland

Maine’s Unemployment System Payment Glitch Fixed

Software Issue Shuts Down Melbourne's Docklands Observation Wheel

Taiwan Demonstrators Protest Persistent Problems with eTag System

Illustration: Bjarn Kindler/Getty Images

Which Retailers Besides Target and Neiman Marcus Have Been Hacked?

This Week in Cybercrime We learned this week that the upscale retailer Neiman Marcus suffered basically the same security breach as the one that affected Target during the height of the holiday shopping season. Malware installed on its networks infected its point-of-sale system; the malicious code collected payment card data, including PINs, for 1.1 million customers.

While Neiman Marcus and Target—whose security lapse left credit card data for 70 million of its customers in the hands of cybercriminals—have been in the news, they’re not the only ones who've had their digital pockets picked. According to researchers at IntelCrawler, an online intelligence-gathering service that helps firms spot cyberthreats, chatter on forums where cybercriminals ply their trade has revealed that as many as six other retailers have also had their systems—and their customers’ information—compromised. IntelCrawler is not naming names, but says it is providing technical information related to the breaches to the appropriate authorities.

NSA Phone Snooping Illegal and Ineffective, Says Review Board

The U.S. government’s Privacy and Civil Liberties Oversight Board released a 238-page report [pdf] this week calling the National Security Agency’s collection of metadata related to U.S. residents’ phone calls illegal and recommending that the practice be ended. The panel concluded that the program not only “lacks a viable legal foundation under Section 215 [of the U.S. Patriot Act]” but has also been largely ineffective.

“We are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack,” said the board’s members. “And we believe that in only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorism suspect.”

Fill-Up Fraudsters Nabbed

A team of fraudsters who installed Bluetooth-enabled skimmers on the credit card readers at refueling stations across Texas, Georgia, and South Carolina were indicted this week. The thirteen defendants allegedly stole more than US $2 million from customers who filled their tanks at Raceway and RaceTrac stations between March 2012 and March 2013. Because the skimmers communicated via Bluetooth, the thieves could surreptitiously download the data without ever rousing suspicion. According to the criminal complaint, the gang used the stolen credit card information to produce phony cards that they subsequently used to withdraw cash and spread it across 70 different accounts in an effort to launder the money.

In Other Cybercrime News…

Image: Getty Images

Cybercrooks Score: Half of All South Koreans’ Credit Card Data

If you didn’t know, now you know: there probably shouldn’t be any expectation that credit card information—or any personal details stored in digital form—is completely safe from hackers. Just as shoppers in the United States were grappling with the theft of 70 million credit card accounts from Target, comes word that credit card data for nearly half of all South Koreans has been purloined. More than 20 million South Korean credit card accounts, including those belonging to President Park Geun-hye and United Nations Secretary-General Ban Ki-moon, were part of the trove plundered in the cyberheist.

Read More
Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Load More