Risk Factor iconRisk Factor

U.S. Navy: “I Thought the Other Guy Was Doing Security”

The Wall Street Journal reported this week that security holes exploited by suspected Iranian hackers  existed because of “a poorly written contract with computer-services provider Hewlett-Packard.” Under the terms of the contract, H-P wasn’t required to secure the Navy Department databases. But the Navy, under the mistaken assumption that the computer company was the sentry at the gates, didn’t assign personnel to oversee security for the databases. The lapse made the computer network ripe for the picking. How ripe? So much so, an unnamed source told WSJ that restoring the Navy network took four months and cost about US $10 million. The source, a senior defense department official said that “after the Iranian hack, the Navy took stock of its security efforts and drew up a list of 62 security issues…Some [will] cost more than $100 million and may require asking Congress for permission to redirect funding.”

Though it’s clear that, in the parlance of politicians, mistakes were made, everyone currently or recently in charge is being spared the indignity of being blamed for this massive screw-up. The unnamed defense official said the comedy of errors was based on “decisions made years ago as to what the Navy network structure should be and what kind of risk it was comfortable taking.” Because the contract was first awarded in 2000 and last updated in 2010, Vice Admiral Michael Rogers, who served as the Navy's cyber chief in 2011 and oversaw the cleanup, has been able to sidestep blame for the cock-up as Congress prepares to vet him for the role of director of the National Security Agency.

300 000 Routers Hijacked

Security researchers at Team Cymru in Lake Mary, Fla., published a report this week revealing that more than 300 000 small office and home office routers located across Europe and Asia have been compromised during a rash of attacks that began in mid-December. Team Cymru says hackers began overwriting the DNS settings on routers from a number of manufacturers, including TP-Link, D-Link, Micronet, and Tenda, and rerouting traffic to attacker-controlled sites. The victims, say the researchers, have been located mainly in Vietnam, Thailand, India, and Italy.

The attacks were first detected in January. The Cymru researchers noticed that several TP-Link routers were redirecting victims to two IP addresses that were unrelated to the sites unwitting computer users were trying to reach.

The attackers took advantage of a cross-site request forgery vulnerability on the devices that gave them admin privileges without them having to provide even so much as the default authentication password.

Team Cymru said it immediately notified the affected vendors, but when none responded, it shared the information with law enforcement.

Though there are similarities between this set of attacks and those suffered by several Polish banks in recent weeks, the Cymru report notes that, “The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability. The more manually-intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group.”

Cisco Issues Internet of Things Grand Challenge

There’s good reason for concern over the prospect that the “Internet of Things,” the name given to the point when just about every electronic device will be connected to the Internet, will create innumerable points of vulnerability that can be exploited by hackers. Few of these gadgets were originally created with security in mind. With that in mind, Cisco Systems has created the Internet of Things Security Grand Challenge, a $300 000 global competition whose winners will be the people who come up with innovative yet practical ways of securing millions of gadgets and the networks to which they connect. The entries will be judged on four criteria: feasibility, scalability, performance and ease-of-use; applicability to multiple industries and applications; technical maturity and viability of the proposed approach; and the proposers’ expertise and ability to feasibly create a successful outcome.

According to Cisco Security Group Senior VP Chris Young, as many as six recipients will be awarded between $50 000 and $75 000 at the company’s second annual Internet of Things World Forum in Barcelona, Spain later this year. The deadline for submissions is 17 June.

Report Suggests How to Secure the Grid from Cyberattacks

Another potential point of vulnerability to cyberattacks is the electric grid. And so although it’s not technically appropriate for a blog called This Week in Cybercrime, we’d be remiss if we didn’t report that a group of current and former U.S. government officials and representatives from the entities that operate the grid did last Friday. They convened a panel at the Bipartisan Policy Center in Washington, D.C., and presented a new report (PDF) containing guidelines for protecting North America’s grid. The report also included recommendations for what to do if the grid is ever compromised.

Matthew Wald, an energy reporter with the New York Times and the moderator of the panel session, noted that of the more than 250 cybercrime incidents reported to the U.S. Department of Homeland Security last year, two-thirds of them targeted the energy sector in general and the grid in particular.

“What permeates the report is that you can’t win this just defending the perimeter, you can’t win this with just prevention and defense,” former National Security Agency and C.I.A. Director General Michael Hayden said. “It’s the concept of resilience, what happens after things start to go wrong?”

Among the proposals in the paper, whose authors include Hayden, is the creation of a new Institute for Electric Grid Cybersecurity modeled after the Institute of Nuclear Power Operations. That group was formed in 1979, in the aftermath of the nuclear accident at Three Mile Island.

Cyberthreats: Assessing the Enemy Within

Clear your mind. Now quickly conjure the image of a group of hackers breaking into a corporate database. Did your mental image include the corrupt middle manager acting as the team’s inside man? How about the middle manager who violates security protocols and unwittingly opens the door to a cyberattack? A just-released report from PricewaterhouseCoopers (PwC) focuses attention on all aspects of global economic crime, not just cybercrime, but one of the things that stood out is how frequently the enemy lurks within an organization. “Many times those who are colluding [with hackers] are individuals inside these companies who have administrative access to the corporate computer system," Steve Skalak, a partner in PwC's forensic service practice told Investors Business Daily. Skalak coauthored the Global Economic Crime Survey.

The report notes that an increasing share of internal fraud of all types is being committed by middle managers—54 percent in 2012 versus 45 percent in 2011. PwC has even developed a profile of the average middle management fraudster: a man whose tenure with the organization is six years or longer.

"Because they have more intimate knowledge of internal processes and infrastructure, better access and higher trust, they can be a much more challenging 'enemy within' compared to junior employees or external fraudsters," Amir Orad, CEO of Nice Actimize, a New York-based unit of financial security software firm Nice Systems (NICE), told Investors Business Daily. He adds that middle managers who are actively involved in cybercrime tend to “feel they haven't been properly appreciated or compensated.”

Other middle managers, says Orad, may just be duped into helping hackers. "Because of [their] access, middle managers may unknowingly be accomplices to cybercrime and fraud by having their credentials and accounts taken over by cybercriminals. Cybercriminals know that middle management has access to key systems and therefore target this layer within the organization."

Meetup Website Suffers DDoS Attack After Spurning Ransom Demand

For five days, many groups that make connections via the social media site Meetup were unable to. The website was felled by several massive DDoS attacks that began last week and resulted in a protracted battle against the cybercriminals to keep the site up and running.

Last Thursday, Meetup CEO Scott Heiferman received an e-mail that said, "A competitor asked me to perform a DDoS attack on your website." Heiferman revealed in a blog post that the sender said the attack wouldn’t happen if the company forked over a measly $300. When the company refused, reasoning that to negotiate with criminals would make the site a target for further extortion—demanding much greater sums—the series of attacks began. The site was quickly overwhelmed, but service was restored by Friday morning. The battle didn’t end there, however. Another attack brought the site down again, and as of Monday, Meetup was reporting that it was working urgently to restore functionality. By Tuesday, it was back online, with a link on its homepage to some FAQs related to the outage. The company was quick to reassure customers that none of their personal data, including credit card information, was accessed during the cyberattack.

Cybercrime Hits the Airwaves

CBS is planning to air a spinoff of the hit TV series "CSI" (short for Crime Scene Investigation) that will focus on the agents in the FBI's cybercrime division.

 

 

 

GM’s “Heavy Keychain Recall” Reaches 1.6 Million Vehicles

IT Hiccups of the WeekThere was a plethora of IT-related faults, errors and defects reported last week. We start off this week’s edition of IT Hiccups with what arguably is not a classic IT problem but a more general electronically-related one that affects over 1.6 million GM vehicles.

A few weeks ago, a New York Times article reported a world-wide GM recall (pdf) of 778 000 or so 2007-model-year Pontiac G5 and the 2005-7 Chevrolet Cobalt (619 000 in the U.S.) because a “jarring event” such as a crash, bumping the ignition, or a heavy key chain could inadvertently cause the cars’ ignition switches to move from the run position to the accessory position. Switching into that mode would disable the cars’ engines and prevent their air bags from deploying.

At the time, the Times reported that GM “knew of six deaths in five crashes in which the front air bags did not deploy” as well as 17 additional crashes “involving some type of frontal impact and nonfatal injuries where the air bags did not deploy.”

A GM spokesperson, having insisted that, “Safety of our consumers is paramount to G.M,” also tried to minimize the recall by saying that, “All of these crashes occurred off-road and at high speeds, where the probability of serious or fatal injuries was high regardless of air bag deployment. In addition, failure to wear seat belts and alcohol use were factors in some of these cases.”

GM recommended using only the key issued with the affected vehicles until the ignition switch is repaired.

In addition, GM disclosed the news that it had issued a service bulletin in 2005 about the issue to its dealers, although the car manufacturer was not exactly forthcoming in saying whether dealers felt obligated to inform vehicle owners of the potential problem before (or after) purchasing their GM vehicles.  GM did say that “the ignition switch torque performance may not meet General Motors’ specification.” In other words, dealers were going to tighten the switch on the recalled vehicles.

A Detroit News story quoted several auto analysts who said “because the company took quick action” the reputation risk impact of the recall to GM was minimal, rating it as only a “6” on a scale of 10.

However, last week, GM expanded the recall by another 748 000 cars in the United States as it disclosed that four more of its vehicles—the 2003-07 Saturn Ion and the 2006-07 Chevrolet HHR, Pontiac Solstice, and Saturn Sky—also used the same ignition switch. The additions brought the total to nearly 1.37 million vehicles in the U.S., and 1.6 million vehicles worldwide. What’s more, GM revealed that the number of related deaths has reached thirteen and the number of reported crashes due to the defect rose from 22 to 31.

GM declined to explain to various news media inquiries why it did not include those vehicles in its original recall, why the additional crashes and deaths were not reported or linked to the others, or why it had taken so long for the company to issue a recall since it admitted that it knew of and had been studying the problem since 2004.

In fact, the Detroit News reported, GM “spent nearly a decade studying the issue and repeatedly opted not to recall the vehicles or pay for potentially expensive fixes.” GM, the Detroit News stated, “downplayed the ignition switch issue in prior years, including canceling in 2005 an approved redesign of the ignition key head. By the end of 2007, GM said it knew of 10 frontal crashes in which air bags didn’t deploy—linked to the ignition problem—but the automaker opted not to recall the cars.”

GM North America President Alan Batey, sensing that the recall issue had moved considerably higher on GM’s reputation risk meter, issued a “rare apology.” He said that GM was “deeply sorry” for the problem, and that the chronology of its actions, reported to the National Highway Traffic Safety Administration (NHTSA), showed that “the process employed to examine this phenomenon was not as robust as it should have been.”

NHTSA shortly thereafter announced it was launching an investigation into GM’s recall delay. GM faces up to a $35 million fine for not reporting problem in a timely manner to NHTSA. However, NHTSA was itself under heavy criticism from at least one U.S. senator for not acting earlier when it became aware of the problem with the ignition switch back in 2007. GM, in light of the NHTSA’s announcement, issued an unheard of second apology saying that, “We deeply regret the events that led to the recall and this investigation. We intend to fully cooperate with NHTSA and we welcome the opportunity to help the agency have a full understanding of the facts. Today’s GM is committed to learning from the past while embracing the highest standards now and in the future.”

A story in yesterday’s New York Times provides a bit more information about the chronology of the ignition switch issue. Among the damning details is the fact that back in 2004, GM engineers were able to replicate the problem and suggested a fix, but GM executives decided against it after “consideration of the lead time required, cost and effectiveness.”  Another example of company executives playing “pay me now or pay me later” roulette.

[Update 06 March 2014:  GM’s new CEO Mary Barra announced in an email to GM employees this week that she had put into place a “working group of senior executives, which I lead, to direct our response, monitor our progress and make adjustments as necessary.” In addition, Barra stated there is now “an internal review to give us an unvarnished report on what happened. We will hold ourselves accountable and improve our processes so our customers do not experience this again.” She added that, “We sincerely apologized to our customers and others who have a stake in GM’s success.”

To “help” GM with its inquiry, NHSTA has now sent a 27-page list of 107-questions seeking all GM information about the recall and why it wasn’t initiated earlier.

GM says that replacement parts for the defective ignition switches will begin to become available early next month.]

GM Chevy Silverado and GMC Sierra Truck Steering Control Malfunction

GM was also the source of an IT-related hiccup last week. According to Edmunds.com, GM is trying to convince NHTSA that a “glitch” affecting its steering wheel controls  is “inconsequential to motor vehicle safety” and doesn’t warrant the recall of more than 200 000 GMC Sierra and Chevy Silverado trucks manufactured between 29 January and 28 October 2013. Another recall would be quite embarrassing considering that the Silverado was recently named 2014 North American Truck of the Year. You may remember that just a few weeks ago, GM recalled 370 000 of those same two vehicles for a software update in order to reduce the likelihood that their exhaust systems would overheat and catch fire.

In this latest problem, GM says that, “under certain circumstances when an owner uses the steering wheel controls to browse and select songs to play from an external device (i.e., MP3 player) that is plugged into one of the vehicle's USB ports, the instrument cluster may reset. When the instrument cluster resets the analog gauges and identifications, the PRNDM [shift position] indicator, and the cruise control telltale will briefly turn off. In addition, some of the instrument cluster telltales may also illuminate briefly without the condition the telltale is designed to indicate being present.”

It doesn’t sound like a major safety issue, but it is one that could annoy or even distract a driver. However, given aforementioned GM ignition switch recall debacle, the previous software recall on the same vehicles, and the interesting interaction of what would seem to be at least on the surface disparate vehicle systems, NHTSA may want a bit more information from GM before granting it a waiver.

New Zealand Hospital EHR Outage Sparks Political Row

While not nearly on the same technical level as the Affordable Care Act health insurance exchange problems in the United States, a relatively minor electronic health record system outage in New Zealand has created much the same political hue and cry, apparently.

Last week, Dunedin Hospital, which serves the Otago catchment of New Zealand, suffered an electronic health record outage that lasted a little more than a day due to an apparent hardware problem. Staff reportedly resorted to paper records during the outage and the hospital said patients were not put at any risk by the outage. Coincidentally, New Zealand Prime Minister John Key, who leads a National-led government, was visiting the hospital the day after the EHR system crash. Key, who was on hand to open the hospital’s new neonatal intensive care unit, reiterated to the press that the incident was not a big deal, saying that anyone working with computers “will know that at some point they break down.”

Others, however, such as out of power Labour Associate Health spokesman David Clark, saw something sinister in the outage. Clark vigorously proclaimed that, “Patient care has been compromised, there's no doubt; radiation treatment didn't happen yesterday; there have been other monitoring mechanisms that are in place that just simply weren't working.” Clark said the EHR outage was obviously the result of the ruling government’s “cost cutting pressures.”

While Clark was clearly trying to score political points, the hospital apparently has no robust back-up systems in place to handle equipment or software outages. Given that the hospital recently admitted that a different IT failure that resulted in the loss of 4000 mammogram images taken in 2012, it is probably fair that some IT professionals are calling for a review of the hospital’s IT systems.

DMV Headaches Abound

We close this week’s edition of IT Hiccups with a couple of stories of motorists having trouble with their local department of motor vehicles, something all of us can readily relate with. The first is about a software error in the computer systems of the Washington, D.C., DMV that has existed for at least 5 years (and possibly as long as 15). The bug had made it extremely difficult if not impossible for motorists to get refunds for incorrectly issued traffic citations. At least 450 paid traffic tickets that were later voided were not refunded because of the error—a problem the DMV says is now fixed, but was addressed only after television stations started reporting on motorists fighting for years to get their refunds.

Next, news reports emanating from North Carolina indicate that problems with that state’s new DMV computer system have resulted in its offices “losing or delaying up to 35,000 vehicle inspections per month.” The computer system, the DMV says, “has had logic and code issues” that frequently keep the record of a successful vehicle inspection from being successfully communicated to the DMV from the state’s 7500 certified inspection stations.

Typically, the DMV sends out a bill to the motorist once it is notified of a passed car inspection. As a result of the computer problems, a motorist can’t pay for their car inspection nor can they pay their annual vehicle fee when it is due since the state doesn’t know that the vehicle has been successfully inspected as required by state law. According to media reports, there is no timetable for when the problem will be resolved.

Finally, news reports from across New York State indicate that local DMV offices have been experiencing repeated IT outages that are driving both DMV employees and motorists crazy. As in North Carolina, no one in charge seems to have a date in mind as to when the outage problem will be fixed.

Alas, would you expect anything different from the DMV?

GM Recalls 1.6 Million Cars for Ignition Switch Fix

GM Recalls 778 000 Small Cars for Ignition Switch Problem

GM Ignition Switch Recall Not a Big Deal Auto Analysts Claim

GM Adds 750 000 Cars to Recall Bringing Total to 1.6 Million

GM Delayed Ignition Switch Fix for Years

GM Issues Rare Public Apology Over Recall

NHTSA Launches Probe into GM Cobalt Recall

NHTSA Aware of Ignition Switch Issue in 2007

 Massachusetts Senator Markey Asks Where Was NHTSA?

Trail of Inaction in Ignition Switch Recall Debacle

Truck Glitch is Inconsequential GM Tells NHTSA

New Zealand EHR Meltdown Sparks Political Row

New Zealand Hospital Suffered EHR Outage

Labour Claims Patients Placed at Risk During EHR Outage

Review of Hospital IT Systems Called For

Motorists Suffer Because of State DMV Computer Woes

DC DMV Finally Fixes Software Error That Stopped Ticket Refunds

NC DMV Computer Error Affects Vehicle Inspections

NY DMV Offices Suffer Plague of Computer Problems

In Other News…

California Healthcare Insurance Website Software Problem Forces 14 500 Applicants to Start Over

Maryland Healthcare Insurance Website Flaws Cause $30 Million in Unnecessary Medicaid Payments

Washington State Healthcare Insurance Exchange Keeps 15 000 Applications in Limbo

Bomb Threat Sent in Error

Software Issue Delays Payment for Indian Eye Surgeries

Social Security Numbers Printed on Banner Health Address Labels

Milwaukee Fire Department’s New CAD System Has Flaws

New Digital Water Meters in LaVergne, Tennesse, Cause Billing Problems

Louisiana Disqualifies Food Stamp Recipients for Exploiting Benefits Glitch

Florida Says New Unemployment System Fixed, But Many Still Express Doubts

NPower Utility Billing Errors Power On

Swedish Company Accidentally Invites 61 000 to Job Interview

Pizzeria Unwanted Recipient of American Idol Votes

DeGeneres' Selfie Causes Oscar Twitter Crash

ABC’s Live Oscar Internet Stream Goes Out

Photo: GM/AP Photo

China Establishes Presidential Commission to Shore Up Its Cyberdefenses

This Week in Cybercrime China is often pointed to as the home base for bad actors in the world of cybercrime and alleged to be a participant in undeclared cyberwarfare. But China’s computer networks are not immune from attack. The government revealed the extent of its concern over cybercrime when it announced that President Xi Jinping is chairing a new working group on cybersecurity and information security. Though Xi will have a direct hand in drafting national policies aimed at improving cyberdefenses, the announcement offered no details about what its cybersecurity efforts would entail.

“Efforts should be made to build our country into a cyberpower,” Xi said in a statement released after the first meeting of the group on Thursday, according to the official Xinhua News Agency. “No Internet safety means no national security,” Xi said.

App Released by Security Conference Is Insecure

The most ironic (and obviously embarrassing) occurrence of the week took place at the RSA Conference in San Francisco. Security researchers from IOActive reported that the official mobile app for the leading computer security conferences is riddled with security vulnerabilities. Worst among the security flaws is one that makes man-in-the-middle attacks possible. A hacker could use the vulnerability to inject malicious code, masquerade as a legitimate website, and steal login credentials.

IOActive says a separate security hole, though not as dangerous, is actually more interesting. According to Kaspersky Lab’s Threatpost, “The application apparently downloads a SQLite database file that is then used to populate the app’s user interface with various conference information, like speaker profiles and schedules. Seems innocuous enough, but that database—for reasons that remain a mystery to [IOActive]—contains the first and last names, employers, and titles of every user that has downloaded and registered with the application.”

Apple Patches Major Security Flaw

Last Friday, Apple released iOS 7.0.6, which it tried to characterize as a fix to a minor security flaw. Despite the company’s nothing-to-see-here take on the update, observers immediately sniffed out that it must have been important. Why else would the company put out a standalone fix now when iOS 7.1, a large update to iOS 7 that is currently in beta, is likely to be released in the next week or so? The security community’s instincts were right on point.

The patch was for Apple's SecureTransport platform, which appears in OS X 10.9 for desktop and in all versions of iOS going back to iOS 6. A seemingly small coding error that went unaddressed for years made it so that machines’ SSL connections failed to properly check the certificates that serve as websites’ proof of identity. The vulnerability made the task of masquerading as a user’s banking site or e-mail provider or pretending to be Facebook, LinkedIn, the App Store (or now that it’s tax time in the United States, the IRS website), much easier. That lowered bar left people open to man-in-the-middle attacks—most likely by attackers intercepting signals at public Wi-Fi hotspots. Even though the little padlock icon in their browser windows was delivering the message that their connections were secure, they weren't.

The Verge reports that, according to researcher Ashkan Soltani, "the vulnerability extended to every application built on Apple's SSL library, including FaceTime, Mail, and Calendar.” These and similar apps, says Soltani, have been exposed on iOS because of the flaw since September of 2012. That was when iOS 6 was first introduced. Soltani says the exploit is "one of the most significant security vulnerabilities from a major company we've seen in a while,"

The just-released OS X 10.9.2 patched the security hole. The update patched 32 other vulnerabilities in various versions of OS X, including four flaws that could be used to bypass the application "sandbox."

The fallout may be limited, though, by the fact that taking advantage of the disabled SSL connection and other security holes is easier said than done. As Columbia cryptographer Steve Bellovin tells The Verge, "Man-in-the-middle attacks aren't that easy to launch, and they don't scale well." For most attacks, the hacker would need to be within Wi-Fi distance, which fits with reports about the flaw having been exploited in isolated incidents where someone’s information was stolen at a public hotspot.

The security flaw has been attributed to sloppy coding such as an inadvertently repeated "goto fail" line that managed to slip through Apple’s code coverage testing and remain in place because of an if-it-ain’t-broke-don’t-fix-it philosophy that kept the error hidden in plain sight.

The Odds Are Against Us

A reminder that security in our electronic transactions is likely almost always illusory came this week when analysts with cybersecurity firm Hold Security reported that they have obtained a list containing 360 million stolen online account credentials. The information, they surmise, was most likely the spoils of multiple data breaches. They say they stumbled upon the list while studying underground marketplaces where pilfered data is bought and sold. Alex Holden, Hold Security’s CIO, told Computer World that, February has been very fruitful for hackers, explaining that “one batch of 105 million details, discovered about 10 days ago by the company, included email addresses and corresponding passwords, but it isn't clear what Web services the credentials unlock.” The company’s researchers are still trying to piece together that part of the puzzle.

Hold Security, which offers a paid service that notifies companies when their stolen data is spotted online, says it has also found 1.25 billion e-mail addresses circulating among hackers. Address lists, important information for spammers, are regularly sold on underground forums.

Cybercrook Talks His Way Into Prison

A British national was indicted this week in the U.S. District Court for the Southern District of New York on charges that he hacked into several Federal Reserve Bank servers and stole names, e-mail addresses, and other personal information of the bank's staffers. The hacker, who was already facing charges in New Jersey and Virginia, for the server break-ins, is his own worst enemy. It seems that the authorities got wind of what he was up to only after he told other hackers in an IRC chat room that he had gained control of a server for the Federal Reserve Bank in Chicago. In other self-aggrandizing moments on IRC forums, says the criminal complaint, the hacker revealed that he’d also gained access to a Federal Reserve Bank server in New York. The indictment alleges that he also took to a chat room to announce his intention to post personal information of Federal Reserve employees.

“Lauri Love is a sophisticated hacker who broke into Federal Reserve computers, stole sensitive personal information, and made it widely available, leaving people vulnerable to malicious use of that information,” said the prosecuting attorney in a statement. “We place a high priority on the investigation and prosecution of hackers who intrude into our infrastructure and threaten the personal security of our citizens.”

So it should be just a matter of time before the perpetrators of the hacks that have led to millions of consumers’ credit card information being swiped are brought to justice. Perhaps those criminals will brag about their exploits in chat rooms too.

In Other Cybercrime News…

New Zealand Police Admit Sending 20 000 Traffic Tickets to the Wrong Motorists

IT Hiccups of the WeekThere was an interesting variety of reported IT snafus, snarls, and snags reported in the news last week. We start off with a story of a database update that didn't happen. The result: a massive number of erroneously issued traffic citations in New Zealand.

According to the New Zealand Herald, the country’s police force last week apologized for mailing over 20 000 traffic citations to the wrong drivers. Apparently, NZ Transport Agency, which is responsible for automatically updating drivers’ details and sending them to the police force, failed to do so from 22 October to 16 December 2013.  As a result, “people who had sold their vehicles during the two-month period… were then incorrectly ticketed for offenses incurred by the new owners or others driving the vehicles.” In New Zealand, unlike the U.S., license plates generally stay on a vehicle for its life.

National road policing manager, Superintendent Carey Griffith, was quoted as saying, “Police sincerely apologize to all of those who have been affected by this one-off technical issue, which has now been resolved… I can also reassure anyone who has been incorrectly ticketed as a result of our mistake that they won't need to pay the fine, and anyone who has paid in error will be completely refunded.”

News reports state that the police became aware of the problem only after a motorist complained that she had received a ticket for an automobile she no longer owned. A story at 3News/NZN reported that, “Police originally said there were 38,000 false fines, but later revised the number to 20,000 thanks to a separate mistake by police collating the data.”

The police have emphasized that they are not going to waive the tickets, which range from NZ $30 to NZ $630, for those who actually committed the traffic infringements. But they do admit that getting the whole mess sorted out will take some time.  Griffith is encouraging those who were likely incorrectly ticketed to call the Police Infringement Bureau “straight away,” but that might prove to be a problem, too: Griffith confessed that those who have tried have been experiencing long delays in trying to get through to the PIB since the error was disclosed.

North Carolina’s New PowerSchool Misfires

Parents, teachers, and school administrators in North Carolina must be getting tired of it all. Since 1998, they have had to suffer through the unreliable and problem-plagued performance of the state’s Windows of Information on Student Education, or NC WISE, system to manage and access student attendance, grades, test reports, and class schedules. The late and over-budget $52 million system’s performance was so bad that it became colloquially known as NC STUPID.

So when it was announced in 2010 that NC WISE would be phased out and replaced with PowerSchool, the sighs of relief across the state were almost palpable. The state promised that the rollout of PowerSchool should be “fairly smooth and require less change management than staff encountered in moving to NC WISE.” They also promised that the never-ending troubles associated with NC WISE would soon be only a bad memory. However, the state government of North Carolina, which has less than a stellar record in IT systems acquisition and management, has apparently managed to create an uncomfortable sense of déjà vu all over again across the state’s educational community.

For according to McClatchy News Service, the state’s new PowerSchool system that was rolled out last summer “has so many problems that the accuracy of transcripts, athletic eligibility and the number of students enrolled in schools is uncertain.” The system, for example, has not been able “to produce updated, accurate student transcripts, something high school seniors need to apply for college admissions and scholarships," which is making both the seniors and their parents very unhappy. In addition, PowerSchool cannot be counted on to verify whether student athletes are academically eligible to participate in their respective sports, a problem in a state where it is not uncommon to have more than half the students in a school participate in sports activities.

North Carolina education officials knew that rolling out PowerSchool last summer instead of this summer was “ambitious,” but convinced themselves that any issues would be minor. Why the rush? The idea of saving $2.1 million by rolling it out last summer seemingly played a big part in their decision, according to McClatchy.

North Carolina education officials are promising that PowerSchool, when it is fixed, will be better than NC WISE, but that is a pretty low bar to hurdle. If it isn't fixed soon, PowerSchool may soon be known around the state as ImpotentSchool.

California Online Health Exchange Falls and Took Days to Get Up

It is time once more for another look at the IT issues still impacting the rollout of the Affordable Care Act (ACA), aka Obamacare, at the state and federal levels. The 2014 open enrollment deadline closes on 31 March, unless that date gets delayed as several others have been.

We start with California’s health exchange, Covered California, which last Wednesday suffered what at first was described as a minor software “fault,” but was significant enough to take down its enrollment portal. State health officials promised that the issue was being worked on by “engineers around the clock,” and expected it would be solved no later than 1300 Thursday. Then the state revised the timetable, saying the fix would be completed by Friday morning. When that didn’t happen, they said they'd have it worked out over the weekend, and most recently, 0600 PST Monday. I checked early this morning, and the enrollment portal now appears to be operational. I will update this post if any lingering issues remain.

California health officials said that the problem originated, they think, with a planned software maintenance update the previous weekend. They apologized for the inconvenience.

Things have been going a bit better at Oregon's health exchange. Last week, Cover Oregon finally was able to enroll at least some small number of applicants online. However, individuals couldn’t sign-up online themselves; only insurance and other authorized agents who were allowed online access could complete the registrations. The reason is that the online system is still considered so buggy (it still had 1200 problems that need fixing) that state officials don’t dare let the average citizen attempt to use it.

Unfortunately, the Massachusetts and Maryland online health exchanges are still struggling to gain altitude. In Massachusetts, no one has been able to enroll for insurance online yet, and there is a backlog of 70 000 paper health insurance applications that still need to be processed. In Maryland, the state halted work on its small business health exchange (something California also did recently) until it figures out how to find someone to implement it correctly.

At the federal level, the White House confirmed that it will take “several months” before the automated payment system will be complete. Until then, “the administration won’t be able to verify how many of the consumers who signed up for Obamacare insurance are, in fact, paying their premiums and are hence truly enrolled,” CBS News reported. However many people actually do end up enrolling, Vice-President Biden admitted, it will likely be fewer than originally expected.

Also not hitting its original predictions is the cost of “the computer cloud that supports back-end data sharing for HealthCare.gov and state Obamacare marketplaces,” Nextgov.com reported last week. Instead of a final cost around $12 million, as predicted by the Centers for Medicare & Medicaid Services, Nextgov.com’s analysis now places the cost at some $60 million. Given all the money so far spent, at least CMS says that the performance has now reached an acceptable level.

Thousands of Drivers Get Undeserved Tickets in New Zealand

Over 20 000 New Zealand Traffic Tickets Wrong Issued

Police Apologize for Incorrect Tickets

Police Issue 20 000 Fines to the Wrong People

North Carolina PowerSchool System Misfires

NC Schools Dealing with Problem-Plagued Computer System

PowerSchool Has Some “Bumps” Officials Admit

PowerSchool's Rocky Start

California and Other State Health Insurance Exchanges Continue to Have Problems

Covered California Suffers Website Malfunction

Covered California Remains Offline

California Health Exchange Now Working After 5 Days

States Struggle with Online Health Insurance Exchanges

Oregon Finally Enrolls Health Insurance Applicants Online

Massachusetts Slowly Addressing Health Insurance Application Backlog

Maryland Halts Small Business Health Exchange

ACA Payment System Will Take Months to Complete

Biden Says ACA Enrollment May Miss Target

Cost of Obamacare Cloud Contract Has at Least Quintupled

In Other News …

United Airlines Suffers Reservation System Outage Again

New Zealand Novopay Bug Continues To Bug Teachers

Robocall Glitch Floods Arkansas Senate With Calls

Network Router Cause of WhatsApp Outage

Google Drive and Docs Out for 5 Hours

UK Nationwide Bank Experiences IT Problems

Kiwibank Suffers Tech Glitch

Banner Health Hospitals Feel IT Problems

Photo: Jeffrey Coolidge/Getty Images

Ohio Bank Erroneously "Files" Many of Its Depositors for Bankruptcy

IT Hiccups of the Week Last week saw an uptick in the number of reported IT problems, slip-ups, and complications. Among the more mind-boggling was the revelation that Fifth Third National Bank of Cincinnati informed its customers last week via a letter that, “We inadvertently reported that you filed bankruptcy to the following [four major U.S.] credit bureau reporting agencies.”

Oops.

What the Fifth Third National Bank’s letter didn’t tell its customers was that their "bankruptcy" status was sent to the credit bureaus Experian, TransUnion, Equifax, and Innovis last October because of an erroneous software update to its IT systems. The bank found the error in November, but it wasn't fixed until December. The letter also didn’t explain why the bank decided to wait until last week to inform its customers of the problem.

Fifth Third National Bank refused to tell inquiring news agencies exactly what happened, nor how many of its customers the bank falsely reported were in bankruptcy proceedings; it would only say it was a “limited” number. However, a couple of news reports placed the number at over 20 000.

The bank did put out a statement saying that it corrected the false information with the four credit bureaus, and that if a customer did not have a credit issue before receiving the letter, they “should” not have one now. It also stated that, “The accuracy of our customers’ credit history is important to us, and we will ensure that no customer will suffer negative impact.”

Well, maybe no new credit problems because of the October foul-up, that is.

For those long time readers of the Risk Factor, you may remember that Fifth Third Bank was fined over failing to follow established security protocols in the massive TJX VISA credit card breach in 2007.

Major Credit Payment Outage Hits Israel

At first, it looked like a major cyberattack was occurring. When credit card purchases and other financial transactions across Israel couldn’t be completed last Thursday morning, Israel’s Shin Bet security service was quickly called in to investigate. Alas, the Times of Israel reported, it was just another software update-related problem.

The Times reported that there was a fault in the “daily update from SHVA—the automated banking service that provides communication and computer systems for many of the credit card and banking services in Israel—which set the dollar exchange rate to zero.” As a result, payment terminals that accepted foreign currency “were stumped” by the zero value, and crashed.

A Jerusalem Post story provided a bit more information, saying that the problem was traced to an error in “an overnight software update that blocked communications between Shva, the Automated Banking Services clearinghouse owned by the banks, and Retalix, which provides the payment terminals to the [store] chains.” The update error was corrected around noon local time, and things were back to normal by early afternoon.

New California Healthcare Worker Licensing System Causing Unacceptable Delays

Another new California state IT system goes live, and just as predictably, another foul-up quickly follows. This time, it was the Department of Consumer Affairs' $52 million catchily-titled BreEZe system. The online licensing and enforcement system, which was rolled out last October, is meant to streamline the operations and increase the efficiency of the 37 boards, bureaus and committees under the jurisdiction of the Department of Consumer Affairs. The improvements, it was hoped, would allow “online license applications and license renewals for registered nurses, physician assistants, doctors and respiratory care practitioners” to be a, well, breeze.

Unfortunately, the BreEZe system has been anything but for 10 of the 37 agencies currently using it. For one, the system doesn’t yet accept online applications because of a host of unresolved software issues. And the Department can’t say when BreEZe will be able to do so. Until it does, nurses, physician assistants, etc. must send in paper applications, which then have to be manually transcribed by Department of Consumer Affairs staffers and temporary workers added by the Department in order to cope with an ever-increasing pile of applications.

Newly minted nursing school graduates have apparently been hardest hit by the backlog. Many have received job offers from hospitals and other healthcare providers, but cannot practice without a license when licensure requires confirmation that the candidate has passed a state exam. The Department of Consumer Affairs schedules and administers the exams, and processes the results, but is falling further and further behind in scheduling the tests because of the problems with BreEZe. Other healthcare workers who are already licensed but need to renew their credentials are reportedly encountering snags, too. The total backlog of applications is now said to have reached over 4000.

The problems with BreZe are now reaching a point, the Modesto Bee reports, where “some hospitals aren’t able to fill gaps in staffing or meet nurse-to-patient ratios required by state law.” The shortages have grown so critical that some hospitals are paying other facilities to take their patients.

A spokesman for the Department of Consumer Affairs told the LA Times, in a classic government statement of the obvious, “Our BreEZe computer system is not doing everything it was designed to do yet.” Why the system was ever rolled out before being able to reliably perform one of its most basic functions is anyone’s guess. 

An audit of this latest California IT disaster has been called for, but whether it ever happens remains to be seen.

Toyota Recalls 2 Million Buggy Vehicles

Finally another of the more newsworthy foul-ups was Toyota’s recall of 1.9 million Prius hybrids for a software flaw, which was discussed in a separate Risk Factor post last week.

Subsequent to that announcement, Toyota also announced a recall of another 295 000 vehicles involving both its Toyota and Lexus brand vehicles over an electrical component fault in their brake actuators. Reuters reports that the fault could increase the resistance in the fluid pressure in each wheel cylinder, which could cause the vehicles’ stability control, traction control and anti-lock brakes to become “inoperative.”  The vehicles affected include 2012 and 2013 model year Lexus RX350 crossover vehicles, 2012 and 2013 Toyota Tacoma trucks, and 2012 Toyota RAV4 SUVs.

Fifth Third National Bank of Cincinnati Files Bankruptcy for Thousands of Customers

Fifth Third National Mistakenly Reports Customers’ Bankruptcy

Fifth Third Bank Say Sorry for Bankruptcy Mistake

Fifth Third Tells Customers Not To Worry

Better Business Bureau Tells Fifth Third Bank Customers to Check Their Credit Scores

Software Update Error Crashes Israeli Credit Payment Terminals

Credit Cards Rejected Throughout Israel

Credit Card Glitch Blocks Transactions

Glitch Causes Mass Credit Card Processing Problems

California’s New Consumer Affairs BreEZe Licensing System Becalmed

Nursing Graduates Frustrated By New Licensing System

Nursing Graduates Face Delays in Taking State Licensing Exams

Audit Called For in Licensing Board System Disaster

In Other News…

Toyota Recalls 295 000 Vehicles Due to Brake Electrical Fault

Microsoft Blames Bing Chinese Censorship on System Error

MIT Tells Some Applicants They Weren’t Accepted After All

Kansas Department of Labor Computer Error Shorts Auto Workers’ Payouts

Miami County, Indiana, Server Failure Takes Out Government Online Services for Week

Online Fashion Group Asos Sees Order Meltdown

Alberta, Canada, Tourism Website Experiences Camping Reservation Problems

Virginia E-ZPass Sensor Issue Hits Hampton Roads Tunnel Drivers

Gas Sells For One Penny at Illinois Gas Station

Victoria Australia Police “Computer Error” Blamed For Child Being Beaten to Death   

GPS Monitoring Alerts Overwhelm California Probation Officers

Illustration: iStockphoto

U.S. Gives Cybersecurity Advice to Critical Infrastructure Operators—But No Rules

This Week in Cybercrime The U.S. government, finally realizing that it has to take action to ensure a minimum level of cybersecurity in networks that manage the nation’s energy, water and financial services, presented the Framework for Improving Critical Infrastructure Security on Wednesday. The document, which was put together by industry and government experts, is a compilation of cybersecurity standards and best practices; it is the result of the year-old Executive Order 13636, under which President Barack Obama directed operators of critical infrastructure to provide guidance for defending their networks.

“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said in a statement. “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”

The 41-page document describes itself as a complement to industries’ existing risk management practices. What remains to be seen is whether this “guidance” will make firms that have minimal safeguards in place immediately take action to update or reconfigure their systems. Something tells me that a book of suggestions without force of law will not do the trick.

Industrial Control Systems Unguarded

Security researchers have been taking creators of industrial control systems and devices like programmable logic controllers to task for the abject lack of security controls that would prevent networks and the facilities they run to be taken over by hackers. But many products and systems remain insecure. That was the focus of a talk by researcher Jonathan Pollet, founder of Red Tiger Security, at the Kaspersky Security Analyst Summit in Punta Cana, Dominican Republic, on Tuesday.

Referring to the maddening state of play in industrial cybersecurity, he said, “It’s like hacking in the 1980s and 1990s,” when IT software and hardware vendors typically buried their heads in the sand, hoping that researchers presenting vulnerability reports would eventually go away if the companies ignored them long enough. According to a Kaspersky Threatpost article, Pollet recalls, “being at a Texas amusement park recently and the ride he was waiting for was malfunctioning. The operator told him the ride used a Siemens PLC as part of the control system, so he went home, got his laptop, returned and was able to debug the software, find the problem and fix it and get the ride going again.” 

Did he have credentials giving him access to the system? No. Did he face much difficulty in reconfiguring the control system for a machine that thousands of people would ride that same day? Nope. Now imagine that scenario if Pollet’s intentions had been nefarious.

That anecdote was but one example of the widespread lack of authentication, failure to use encryption, and lack of monitoring in critical systems—even after security holes are reported. Pollet said that when he does hear from industrial control and automation vendors, they present excuses such as protocols aren’t ready or that security is difficult to build in.

“All these excuses aren’t really excuses,” he said during his talk. “With the current software and hardware we have, there’s no reason we can’t have these systems secured.”

Automakers Keep Cybersecurity Discussions in Park

In another talk at this week’s Kaspersky Security Analyst Summit, security researchers Charlie Miller and Chris Valasek reported that a year after they published a detailed paper showing a series of cyberattacks that enabled them to control the steering, braking and other functions in some cars, they’ve heard nary a word from automakers about the exploits. In other words, Miller and Valasek have had neither the opportunity to explain which weakness the attacks take advantage of, nor the chance to help design systems to prevent or at least detect intrusions. Miller, referring to the automobile manufacturers, said, “We have no idea what they’re doing. They could be building something, but it could be years down the line.”

By the Power Vested In Me by Me, Myself, and I…

Dozens of phony SSL certificates spoofing legitimate ones for banks, e-commerce sites, ISPs, and social networks, were discovered this week. The unsigned certificates could put people who use apps or other software that access the Internet—but don’t necessarily check the legitimacy of SSL certificates—at risk for man-in-the-middle attacks. Netcraft, a British security firm, provided details about the bogus certs on its blog.

Apparently the various certificates have different purposes. For example, a fake YouTube cert blocked residents of Pakistan from accessing the site, a phony iTunes cert was a linchpin in an online scam, and a fraudulent Facebook cert redirected users to a phishing site.

In Other Cybercrime News…

Toyota Recalls 1.9 Million Prius Hybrids Over Software Flaw

Faulty software in Toyota's popular Prius hybrids has forced the Japanese automaker to recall 1.9 million of such vehicles worldwide. The huge recall—representing more than half of all Prius cars ever sold—shows how Toyota has adopted an increasingly cautious stance as major automakers struggle with the rise of software-related car problems.

Read More

(Un)Cover Oregon: State’s Healthcare Exchange Website Still Inoperable Four Months After Planned Launch

IT Hiccups of the WeekLast week was a rather slow week with regard to the number of reported IT errors, miscalculations, and problems. So we decided to start off this week’s IT Hiccups edition with a status check of some state Affordable Care Act (ACA) website implementations.

While most of the major snafus that plagued the operations of the U.S. government’s ACA website have been taken care of (making changes to policies still seems an issue, however), IT issues associated with several states’ implementation of the ACA continue. A nice summary accompanied by myriad news links to the difficulties in four states—Oregon, Minnesota, Massachusetts and Maryland—was provided in a ProPublica article published last week.

Oregon’s healthcare exchange, Cover Oregon, is having the worst time of it. Four months after its originally planned launch date of 1 October 2013, the $220 million site still hasn’t signed up one person for healthcare insurance.  Some 35 000 Oregonians have been enrolled in Cover Oregon via paper applications; the state has had to hire 400 workers, at a cost of $4 million, to process those applications. It is still unclear, however, when (or if) the Cover Oregon’s website will get up and running.

Read More

Virtru Crafts Countermeasures to Combat E-mail Snooping

This Week in Cybercrime Anyone who still thinks that e-mail is a secure method for sending and receiving information, raise your hand. Well, it isn’t. Now, put your hands down and pay attention. When e-mail was first created, security was an afterthought. But in the wake of revelations about spying the United States, China, and others, companies are attempting to remedy that by introducing new methods for encrypting messages.

One such company, a startup called Virtru, was founded by a former NSA data security researcher named Will Ackerly. He says the company’s secret sauce is in a browser extension that handles the encryption and decryption of content right on the device. It allows computer users to send secure messages through Gmail, Outlook, and Yahoo webmail interfaces without an external client. The software instantly encrypts whatever the user types in the body of an e-mail. The result: even the Web mail provider only sees encrypted content. Messages are encrypted in the Trusted Data Format (TDF). Ackerly knows quite a bit about TDF; he helped create the open-source security format in 2008 while still in the employ of the NSA.

Ackerly took the additional step of featuring elliptic curve Diffie-Hellman ephemeral key exchange, which means that Virtru generates a new Secure Sockets Layer, or SSL, key for every new e-mail session. Old ones are discarded. So if a hacker somehow gains access to a key or a government agency demands that it be turned over, its value is limited because it wouldn’t decrypt messages sent or received in previous sessions. This is meant to prevent a repeat of what happened to Lavabit, Edward Snowden’s former e-mail service provider. Lavabit fought, but ultimately lost, a court battle over whether it had to turn its SSL key over to the U.S. government, giving the Feds the ability to read all of its customers’ messages.

Virtru is also thinking about letting its customers manage their own keys. This would give a Virtru user the ability to limit access in terms of who can see a message and for how long. A sender could revoke a key and block access to a message, or rig it to expire at a preset time. Forwarded messages would remain encrypted and unreadable unless the new recipient receives authorization from the original sender.  

Ackerly says Virtru plans to offer the service, including all the aforementioned features, for free. According to a Computer World article, the company will generate revenue by “licensing its key management software to businesses, as well as offering other management and access visualization tools for encrypted email. Mobile clients are in the works as well, for Android and iOS.”

Target (and Its Customers) the Victim of Lax Network Security

Investigators are learning more about the data breach that let cybercriminals walk away with the credit and debit card information of tens of millions of Target customers over the holiday shopping season. And what they’re finding is troubling. The upshot: It’s becoming abundantly clear that the incident was not as much due to the genius of the hackers as it was to Target’s poor security controls.

Security blogger Brian Krebs, who originally broke the story of the Target breach, revealed on his blog that hackers gained access to Target’s network using login credentials they had stolen from a heating, ventilation, and air conditioning company. That vendor, Fazio Mechanical Services, was given access to Target’s network so that it could perform tasks such as remotely monitoring stores’ temperature and energy consumption. But it seems the retailer neglected to wall off the parts of its network containing sensitive payment card data.

Krebs says that according to sources close to the investigation, Target’s insistence that the company was the victim of a sophisticated cybercriminal campaign is purely make-believe. Once the hackers got their hands on Fazio’s username and password, they probed the network undetected, tested their malware on a few of Target’s point-of-sale devices, and eventually uploaded the malware to most of the cash registers connected to the network. The operation did not require the services of a criminal mastermind.

But it should have. The Payment Card Industry Data Security Standard, which companies like Target are required to follow, specifically says that companies should segment their networks and isolate sensitive cardholder data.

Facebook Domain Takeover Thwarted

Facebook celebrated its 10th birthday this week. The Syrian Electronic Army (SEA), decided to crash the party by attempting to hijack the social media site’s domain name and reroute it to a server under the hacker group’s control. The cybercriminals managed to get as far as modifying the WHOIS information for facebook.com, so that the domain's listed contact address was in Damascus, Syria. But they were thwarted in the more crucial step of pointing the website to one of their own servers because Facebook’s domain name registrar, VeriSign, has a registry lock feature requiring additional verification before making such a change.

You would think that requiring additional verification would be de rigueur, but the SEA has gained wide notoriety for successfully taking over domain names such as nytimes.com, sharethis.com, huffingtonpost.co.uk, and twitter.co.uk. (For a detailed account of such a domain name theft, read Steven Cherry's 2005 account of the attack on New York City ISP Panix.) In this instance, just as with the hacker group’s previous takeover campaigns, they attacked the target via a third party. The cybercriminals managed to gain some level of admin control at MarkMonitor, a domain name management company. The MarkMonitor hack was what allowed the SEA to change facebook.com’s WHOIS address.

In Other Cybercrime News…

 

F-35 Software: DoD's Chief Tester Remains Unimpressed

IT Hiccups of the WeekLast week was a very quiet week in regard to reported IT-related system snarls, snags and snafus. With yesterday being ground-hog day here in the U.S., and in keeping with the spirit of the movie of the same name, I have decided to return once more to F-35 Joint Strike Fighter and its continuing software “challenges.”  

Last week, the Department of Defense's Director of Operational Test and Evaluation (DOT&E), J. Michael Gilmore, publicly released his annual report on major U.S. defense acquisitions. Gilmore reiterated his frustration with the lack of reliability and supportability of software in major defense support and weapon system programs. While Gilmore’s report highlighted many defense programs' software problems, those related to the F-35 continue to hold center stage.

For instance, in October 2013, a new increment of Block 2B software—the block that provides initial combat capability—that was supposed to include many fixes to previously identified deficiencies, began flight testing, the report says. However, the DOT&E report goes on to say:

“Initial results with the new increment of Block 2B software indicate deficiencies still exist in fusion, radar, electronic warfare, navigation, EOTS, Distributed Aperture System (DAS), Helmet‑Mounted Display System (HMDS), and datalink. These deficiencies block the ability of the test team to complete baseline Block 2B test points, including weapons integration.”

Although plans call for the military to “complete Block 2B fight testing in October 2014...there is no margin for additional growth to meet that date,” the DOT&E report found. “Projections for completing Block 2B fight testing using the historical rate of continued growth ... show that Block 2B developmental testing will complete about 13 months later, in November 2015, and delay the associated fleet release to July of 2016.”

In addition, the DOT&E report notes that there are still problems with the F-35's Block 2A software, i.e., the block that is “designed to provide enhanced training capabilities to the Integrated Training Center at Eglin AFB, Florida, and to the first operational units.”

The F-35 test teams found:

“deficiencies in the aircraft sensor operations, particularly the Electro-Optical Targeting System (EOTS), aircraft communications capabilities, pilot electronic interfaces, and the aircraft Caution, Advisory, and Warning System. Although the software was intended to provide more mission systems capability, poor sensor performance and stability, excessive nuisance warnings, and disproportionate pilot workload required for workarounds and system resets made the software of limited utility for training. In any type of operational mission scenario, the performance of the software would be unacceptable.”

These and other software issues, e.g., related to the F-35's Autonomic Logistics Information System (ALIS)—as well as non-software related problems—notwithstanding, neither the U.S. military's nor its international partners’ enthusiasm for the F-35 has diminished. The Marine Corps, for instance, insists it's still planning for a 2015 IOC (initial operating capability) for its F35B version, while the U.K. says it is close to placing its first order and South Korea is expected to do so later this year.

The F-35 Program Office complained that while Gilmore’s report “was factually accurate” it “did not reflect concerted efforts under way by this office and industry to address software, reliability and maintenance issues,” Reuters reported. “Of course, we recognize risks still exist in the program, but they are understood and manageable,” the Program Office insisted.

Gilmore may need to remind the F-35 Program Office (again) that the DOT&E office deals with facts, not promises.

Gmail Glitch May Have Deleted Emails

I noted in last week’s IT Hiccups that Gmail and many other Google online applications including Calendar, Talk, Drive, Docs, Sites, Groups, Voice and Google+ Hangouts suffered an outage on Friday, 24 January that lasted a little more than an hour.  While Google says that the outage—caused a “software bug” that resulted in a misconfiguration of its systems—was quickly fixed, apparently there was some collateral damage that wasn’t immediately discovered.

As reported by the Verge, some Gmail users received a message early last week that stated, “You may have been impacted by a recent issue in Gmail that inadvertently caused some actions (e.g. delete, report spam) taken while viewing a message to be applied to a different message. The issue occurred between January 15 and January 22 and is now fixed. We encourage you to check your Trash and Spam folders before February 14, 2014 for any items you did not intend to delete or mark as spam and move them back to your inbox. We apologize for any inconvenience.”

It is not clear the exact number of Gmail users that were affected (Google indicates no more than 0.2 percent of its users), since only some platforms (e.g., Google’s iOS app, on mobile browsers, and the offline version of Gmail) and only some users of those platforms were affected.

Aspiring Drivers in Ahmedabad, India Frustrated by Transport Office Server Problems

There are some universal experiences that bond all humans together, like the enjoyment of good food, hearing good music, and wasting one’s time waiting at a department of motor vehicle office.  As reported by the Ahmedabad Mirror, we can all no doubt empathize with the 800 Amdavadis who had booked in advance a time to come in and apply for their learner’s license but “were forced to cool their heels for hours at Ahmedabad Regional Transport Office near Subhash Bridge” because of a server problem.

The Mirror story stated that the server problem occurred last Thursday morning, and officials at the RTO had hoped to resolve the problem by noon. However, this didn’t happen; the problem wasn’t fixed until late Friday. Meanwhile, RTO officials told the disappointed applicants who had waited right through the time the office closed on Thursday afternoon to come back and wait again this week.

F-35 Joint Strike Fighter Software Problems Linger On

F-35 Software Remains Seriously Flawed

Software Issues May Affected Marine F-35 Planned IOC

What’s Likely Behind F-35 Software Issues?

F-35 Program Office Says Its “Laser-focused” on Software Problems

Some Gmail Users May Have Had Email Accidentally Deleted

Gmail Bug Deletes Some Users’ Emails

Gmail Glitch Affects Emails

Only 0.2 Percent of Gmail Users Likely Had Emails Deleted

Aspiring Drivers in Ahmedabad, India Told To Come Back After Server Shuts Down Testing

RTO Server Crash Frustrates Learner’s Driving License Applicants

Of Other Interest …

Software Problems Distorting UK Further Education and Skills Statistics

Problems Plague Boston’s New MBTA Rail Cars

Citibank Payment Problems Affect UK Tax Filings

Successful State Health Exchanges Worry over ACA Flaws

Multi-Year NHS Glitch Causes £3.4 million in Over-payments to Scottish Dentists

Computer Issue Causes Urgent Jury Summons in Delaware

Photo: U.S. Air Force

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Load More